Re: How to parse array to get only required attrib...

Techie · ‎02-01-2023

Hello,

I have an array of timeline event.

Timeline: [ [-]
       { [-]
         deltaToStart: 788
         startTime: 2023-02-01T21:56:11Z
         type: service1
       }
       { [-]
         deltaToStart: 653
         startTime: 2023-02-01T21:56:11.135Z
         type: service2
       }
     ]

I would like to table deltaToStart value only of type service1.

Thanks.

Techie · ‎02-03-2023

@ITWhisperer , thanks for responding. Can you also help me to calculate sum of both durations and table all 3 fields (message.duration, deltaToStart, total_time)

total_time = message.duration + deltaToStart (of type service1)

message: { [-]
duration: 182
Timeline: [ [-]
{ [-]
deltaToStart: 788
startTime: 2023-02-01T21:56:11Z
type: service1
}
{ [-]
deltaToStart: 653
startTime: 2023-02-01T21:56:11.135Z
type: service2
}
]
}

ITWhisperer · ‎02-03-2023

What have you tried so far?

ITWhisperer · ‎02-02-2023

Try something like this

| spath Timeline{} output=Timeline
| mvexpand Timeline
| spath input=Timeline
| where type="service1"
| table deltaToStart

How to parse array to get only required attribute?

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation