Re: How to extract a multivalued JSON Field based...

darshildave · ‎02-12-2019

Hello,
I want to extract a multivalued field in a nested JSON event

A:    [
         {    [-]
            file: x
            type:a    
         }    
         {    [-]
             file: y
             type:b
         }    
       ]

Here in the above JSON, i want to extract the field named 'file' if and only if the type = 'a' and not 'b'.
Inside props.conf, I specified a condition as mentioned :

EVAL-myfile= if('type'=="a",'file', "")

The problem here is, it will extract even the file where type='b' as they belong to the same event.
Is there a way in props.conf to correctly evaluate the file attribute in this nested JSON ?
Also I need to map this field for Splunk CIM data Model so I can not do this in the search query of dashboards.

woodcock · ‎02-12-2019

Like this (assuming that you are using INDEXED_EXTRACTIONS = json😞

EVAL-myfile = mvindex(file, mvfind(type, "a"))

darshildave · ‎02-14-2019

No we are not using INDEXED_EXTRACTIONS = json

woodcock · ‎02-14-2019

Then there are no indexed fields to use at index-time so it is impossible.

How to extract a multivalued JSON Field based on a certain condition inside an event in props.conf?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation