Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse array to get only required attribute?

Techie
Engager
‎02-01-2023 02:48 PM

Hello,

I have an array of timeline event.

Timeline[ [-]
       { [-]
         deltaToStart788
         startTime2023-02-01T21:56:11Z
         typeservice1
       }
       { [-]
         deltaToStart653
         startTime2023-02-01T21:56:11.135Z
         typeservice2
       }
     ]

I would like to table deltaToStart value only of type service1. 

 

Thanks.

Labels (1)
Labels
0 Karma
Reply

Techie
Engager
‎02-03-2023 01:23 PM

@ITWhisperer , thanks for responding.  Can you also help me to calculate sum of both durations and table all 3 fields (message.duration, deltaToStart, total_time)

total_time = message.duration + deltaToStart (of type service1)

message: { [-]
duration: 182
Timeline: [ [-]
{ [-]
deltaToStart: 788
startTime: 2023-02-01T21:56:11Z
type: service1
}
{ [-]
deltaToStart: 653
startTime: 2023-02-01T21:56:11.135Z
type: service2
}
]
}

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-03-2023 10:18 PM

What have you tried so far?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 12:17 AM

Try something like this

| spath Timeline{} output=Timeline
| mvexpand Timeline
| spath input=Timeline
| where type="service1"
| table deltaToStart
0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...