Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you extract information from an array of key values in a column with multiple keys?

chalbersma
Engager
‎02-06-2019 11:16 AM

So I've got an event that has an array of key values like so in a column called associated : 

 associates: [
     {
       type: a
       person: person1
     },
     {
       type: b
       person: person2
     },
     {
       type: b
       person: person3
     },
     {
       type: c
       person: person3
     }...]

Now I can pull out all of the people associated with an issue doing the following:

| rename associated{}.person as all_associates

And pull out the "first" associate person like so

| eval dathuman=mvindex(all_assoicates, 0)

But, what I want to do is pull out just the associates of a particular type. So, something that get's me all the associates of type "b" only.

What's the best way to do that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 12:09 PM

Working with MV fields is always a challenge.

Try this: 

| makeresults 
| eval _raw = "{\"associates\":[{\"type\":\"a\",\"person\":\"person1\"},{\"type\":\"b\",\"person\":\"person2\"},{\"type\":\"b\",\"person\":\"person3\"},{\"type\":\"c\", \"person\": \"person3\"      }]}" 
| spath 
| rename associates{}.person as person associates{}.type as type 
| eval both=mvzip(person, type, "#####") 
| fields both 
| mvexpand both 
| makemv both delim="#####" 
| eval person=mvindex(both, 0) 
| eval type=mvindex(both, 1)
| search type = "b"
| table person

View solution in original post

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 12:09 PM

Working with MV fields is always a challenge.

Try this: 

| makeresults 
| eval _raw = "{\"associates\":[{\"type\":\"a\",\"person\":\"person1\"},{\"type\":\"b\",\"person\":\"person2\"},{\"type\":\"b\",\"person\":\"person3\"},{\"type\":\"c\", \"person\": \"person3\"      }]}" 
| spath 
| rename associates{}.person as person associates{}.type as type 
| eval both=mvzip(person, type, "#####") 
| fields both 
| mvexpand both 
| makemv both delim="#####" 
| eval person=mvindex(both, 0) 
| eval type=mvindex(both, 1)
| search type = "b"
| table person
Reply
Solved! Jump to solution

chalbersma
Engager
‎02-07-2019 11:06 AM

We ended up solving this on the import of data instead of in the query. But this does indeed work. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...