All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to select particular value in array eg AWS tags?

ttovarzoll
Path Finder
‎04-06-2022 11:03 AM

The latest version of the Splunk Add-on for AWS has changed the JSON for the "AWS Description" ingest; see examples below. My question is about selecting values from this new 'type' of array.

Before, you could select particular values with the following search syntax:

tags.Name = "server1"

QUESTIONS

1. How do I make the same search with the newer JSON?

2. What is the technical description for these 2 different forms of arrays?

BEFORE

tags: { [-]
     Environment: test
     Name: server1

AFTER

Tags: [ [-]
     { [-]
       Key: Environment
       Value: test
     }
     { [-]
       Key: Name
       Value: server1
     }

Labels (1)
Labels
0 Karma
Reply

ttovarzoll
Path Finder
‎04-06-2022 02:03 PM

ok, so I think I've partially answered my question:

  • the first version is a nested-JSON and, since it has unique paths, it is trivial to specify a filter (also to extract the result)
  • the second version is -- I believe... -- a nested multi-value array.  I've dealt with MV arrays before but this time I'm defeated by the nesting.

FYI - the official Splunk doc re MV arrays only has examples where you pick the values by position-ID, e.g. [0], rather than by associated 'Key'

https://docs.splunk.com/Documentation/SCS/current/Search/Arrayandobjectexpressions

-----------------------------------

I found the following StackOverflow discussion which seemed to answer this exact issue ... except that I can't get the 'mvzip' command to accept the Tags{}.Name multi-value?

https://stackoverflow.com/questions/61646035/get-specified-element-in-array-of-json-splunk

Their solution was basically a hack where you combine the 'name' and 'value' arrays, then filter for your target key, and finally re-extract the target value. For the AWS Description Metadata JSON, I'm trying the following -- except that it returns the error, "arguments to mvzip function are invalid"

| eval combined = mvzip( "Tags{}.Key", "Tags{}.Value" )

P.S. I tried the Tags{}.Key both with and without double-quotes around it ...

0 Karma
Reply

ttovarzoll
Path Finder
‎04-06-2022 05:16 PM

FYI - still replying to my own question ...

I would still like to know how to specify an individual Key/Value pair but I finally found another posting which showed me how to accomplish my real objection -- extracting the 'Name' fields. (I use the IP/Name info to label my VPC Flowlogs.)

index=aws sourcetype=aws:description:metadata source="us-west-2:ec2_instances 
"Tags{}.Value"=prod PrivateIpAddress="10.10.*"

| spath Tags{} 
| mvexpand Tags{} 
| spath input=Tags{} 
| table PrivateIpAddress, Key, Value 
| where Key="Name" 
| fields - Key
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...