Re: Filter messages based on string in array in JS...

azudet · ‎04-02-2020

I am looking at filtering Kafka messages in Splunk. For that I need to be able to filter which messages show up in my search. However, since I am new to Splunk, I have no idea how to filter the way I want and 2 days of tutorials, reading and messing about haven't brought me any closer to the solution. My even data looks like this:

2020-04-01 13:59:55:803 INFO [messageCoordinator] Sent Kafka message {
"body":{
    "id":"messageID",
    "name":"messageName",
    "channels":"affectedChannels",
    "order":messageOrder, 
    ... 
 },
"headers":{
    "deltaFields":[
        "status",
        "otherString"
    ],
    "level":"messageLevel",
    "operationType":"UPDATE",
    "messageType":"messageType",
    "timestamp":1585746000000,
    "trackingId":6651814029
}

}

Now I need to filter based on headers.deltaFields, which is always present, always a string array but can have multiple values (up to 8 strings) in the array.

I only want the event to show up in my search if certain strings are within the deltaFields. Any help would be highly appreciated.

to4kawa · ‎04-02-2020

index=your_index sourcetype=yours (otherString AND deltaFields)

Just search with strings

to4kawa · ‎04-02-2020

what's your wanted fields?

azudet · ‎04-02-2020

I only want to see the event in the search when I have headers.deltafields contains 'otherString'

Filter messages based on string in array in JSON

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation