Get a long string in a form of array without using...

beriwalnishant · ‎06-02-2021

Hi Team,

I have a field that has the data in this format below :

[ { data data data }],[ {data data data}]

As you see the data in the Bar and Curly bracket sets are more than one separated by comma however when I used 'stats count by field' or table field only first set of brackets return, anything after comma is dropped.

With rex I am able to extract the entire string data extracting to new field but I dont want to use Rex on Raw - our company doesnt promote and support it and warn us to not to use it.

I tried delim=, with makemv, mvcombine etc but it only shows data in first set of bar brackets, rex on field also doesnt show data beyond first set of bar brackets.

Is there a way to get the entire string by not using rex on Raw but using field itself.

Thanks in advance

Nishant

beriwalnishant · ‎06-03-2021

Thanks a lot @ITWhisperer

Not sure but they reckon it loads the server so they do not promote using rex, thanks I will try spath but with Rex into new field worked like charm.

It's indeed JSON I forgot to mention it. I did try mvexpand but it doesnt work, for Spath I am unable to work out on what and how to mention in path.

Thanks

ITWhisperer · ‎06-04-2021

Can you share a sample anonymised event in a code block </>

ITWhisperer · ‎06-03-2021

Why does your company not want you to use the tools available to you?

If you were allowed to use rex, have you been using max_match=0?

If this is really JSON (as your tagging seems to suggest) have you tried using spath?

Do you need the different comma delimited parts to be counted separately, e.g. each part in its own event, if so, have you considered split and mvexpand?

Get a long string in a form of array without using Rex

field extraction

JSON

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!

Are you a member of the Splunk Community?