All Apps and Add-ons

How to select particular value in array eg AWS tags?

Path Finder

The latest version of the Splunk Add-on for AWS has changed the JSON for the "AWS Description" ingest; see examples below. My question is about selecting values from this new 'type' of array.

Before, you could select particular values with the following search syntax:

tags.Name = "server1"


1. How do I make the same search with the newer JSON?

2. What is the technical description for these 2 different forms of arrays?


tags: { [-]
     Environment: test
     Name: server1


Tags: [ [-]
     { [-]
       Key: Environment
       Value: test
     { [-]
       Key: Name
       Value: server1

Labels (1)
0 Karma

Path Finder

ok, so I think I've partially answered my question:

  • the first version is a nested-JSON and, since it has unique paths, it is trivial to specify a filter (also to extract the result)
  • the second version is -- I believe... -- a nested multi-value array.  I've dealt with MV arrays before but this time I'm defeated by the nesting.

FYI - the official Splunk doc re MV arrays only has examples where you pick the values by position-ID, e.g. [0], rather than by associated 'Key'


I found the following StackOverflow discussion which seemed to answer this exact issue ... except that I can't get the 'mvzip' command to accept the Tags{}.Name multi-value?

Their solution was basically a hack where you combine the 'name' and 'value' arrays, then filter for your target key, and finally re-extract the target value. For the AWS Description Metadata JSON, I'm trying the following -- except that it returns the error, "arguments to mvzip function are invalid"

| eval combined = mvzip( "Tags{}.Key", "Tags{}.Value" )

P.S. I tried the Tags{}.Key both with and without double-quotes around it ...

0 Karma

Path Finder

FYI - still replying to my own question ...

I would still like to know how to specify an individual Key/Value pair but I finally found another posting which showed me how to accomplish my real objection -- extracting the 'Name' fields. (I use the IP/Name info to label my VPC Flowlogs.)

index=aws sourcetype=aws:description:metadata source="us-west-2:ec2_instances 
"Tags{}.Value"=prod PrivateIpAddress="10.10.*"

| spath Tags{}
| mvexpand Tags{}
| spath input=Tags{}
| table PrivateIpAddress, Key, Value
| where Key="Name"
| fields - Key
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...