All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract a multivalued JSON Field based on a certain condition inside an event in props.conf?

darshildave
Explorer
‎02-12-2019 10:00 PM

Hello,
I want to extract a multivalued field in a nested JSON event

A:    [
         {    [-]
            file: x
            type:a    
         }    
         {    [-]
             file: y
             type:b
         }    
       ]

Here in the above JSON, i want to extract the field named 'file' if and only if the type = 'a' and not 'b'.
Inside props.conf, I specified a condition as mentioned :

EVAL-myfile= if('type'=="a",'file', "")

The problem here is, it will extract even the file where type='b' as they belong to the same event.
Is there a way in props.conf to correctly evaluate the file attribute in this nested JSON ?
Also I need to map this field for Splunk CIM data Model so I can not do this in the search query of dashboards.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 10:29 PM

Like this (assuming that you are using INDEXED_EXTRACTIONS = json😞

EVAL-myfile = mvindex(file, mvfind(type, "a"))
0 Karma
Reply

darshildave
Explorer
‎02-14-2019 09:59 PM

No we are not using INDEXED_EXTRACTIONS = json

0 Karma
Reply

woodcock
Esteemed Legend
‎02-14-2019 10:21 PM

Then there are no indexed fields to use at index-time so it is impossible.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...