Solved: How to dedup a field inside JSON arrays?

jravida · ‎07-23-2015

Hi guys,

I'm working on some formulas to show percentages, right now trying to count % vendors affected by vulnerabilities. The data I am working with is a single JSON file, broken down into each Vulnerability ID. Problem is, if I try to dedup a Vendor that is affected by a particular vulnerability (which are listed as vendor, product, version, inside separate JSON sub-arrays within the vulnerability ID), it still counts the multiple versions, even though I:

index = jsonvuln | dedup id Vendor | top 100 Vendor

returns > 100% for Vendors like Apple and Adobe, which show up multiple times in each Vulnerability ID. So like 236.76% for Adobe.The dedup doesn't seem to work for the array within the event. Is there a command I can use to dedup these Vendors so Splunk only counts it once?

jravida · ‎07-23-2015

Figured it out.

I have to use mvexpand on the Vendor field. Then dedup Vendor and ID fields. So simple!

View solution in original post

jravida · ‎07-23-2015

Figured it out.

I have to use mvexpand on the Vendor field. Then dedup Vendor and ID fields. So simple!

How to dedup a field inside JSON arrays?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Join the Conversation