All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to select particular value in array eg AWS tags?

ttovarzoll
Path Finder
‎04-06-2022 11:03 AM

The latest version of the Splunk Add-on for AWS has changed the JSON for the "AWS Description" ingest; see examples below. My question is about selecting values from this new 'type' of array.

Before, you could select particular values with the following search syntax:

tags.Name = "server1"

QUESTIONS

1. How do I make the same search with the newer JSON?

2. What is the technical description for these 2 different forms of arrays?

BEFORE

tags: { [-]
     Environment: test
     Name: server1

AFTER

Tags: [ [-]
     { [-]
       Key: Environment
       Value: test
     }
     { [-]
       Key: Name
       Value: server1
     }

Labels (1)
Labels
0 Karma
Reply

ttovarzoll
Path Finder
‎04-06-2022 02:03 PM

ok, so I think I've partially answered my question:

  • the first version is a nested-JSON and, since it has unique paths, it is trivial to specify a filter (also to extract the result)
  • the second version is -- I believe... -- a nested multi-value array.  I've dealt with MV arrays before but this time I'm defeated by the nesting.

FYI - the official Splunk doc re MV arrays only has examples where you pick the values by position-ID, e.g. [0], rather than by associated 'Key'

https://docs.splunk.com/Documentation/SCS/current/Search/Arrayandobjectexpressions

-----------------------------------

I found the following StackOverflow discussion which seemed to answer this exact issue ... except that I can't get the 'mvzip' command to accept the Tags{}.Name multi-value?

https://stackoverflow.com/questions/61646035/get-specified-element-in-array-of-json-splunk

Their solution was basically a hack where you combine the 'name' and 'value' arrays, then filter for your target key, and finally re-extract the target value. For the AWS Description Metadata JSON, I'm trying the following -- except that it returns the error, "arguments to mvzip function are invalid"

| eval combined = mvzip( "Tags{}.Key", "Tags{}.Value" )

P.S. I tried the Tags{}.Key both with and without double-quotes around it ...

0 Karma
Reply

ttovarzoll
Path Finder
‎04-06-2022 05:16 PM

FYI - still replying to my own question ...

I would still like to know how to specify an individual Key/Value pair but I finally found another posting which showed me how to accomplish my real objection -- extracting the 'Name' fields. (I use the IP/Name info to label my VPC Flowlogs.)

index=aws sourcetype=aws:description:metadata source="us-west-2:ec2_instances 
"Tags{}.Value"=prod PrivateIpAddress="10.10.*"

| spath Tags{} 
| mvexpand Tags{} 
| spath input=Tags{} 
| table PrivateIpAddress, Key, Value 
| where Key="Name" 
| fields - Key
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...