On data ingest, does Splunk recognize maps?

minerjaime · ‎11-28-2015

I'm using Splunk to store data tuples that contain maps.

For example, such a map is: {"likes": ["strawberry", "vanilla"], "dislikes": ["chocolate"]}.

Is there a way to get Splunk to recognize this as a map? To identify the keys? To query for specific values?

Thanks!

martin_mueller · ‎11-28-2015

That looks like JSON, no big deal to index and have its fields extracted - check out http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata

minerjaime · ‎11-30-2015

Martin, thanks.

Yes, it is JSON and I have managed to get Splunk to "handle" it.

However, when this map is extracted, it doesn't behave in the best of ways. I seem to get an "Interesting Field" for every instance of "first" key in the map.

Is there a way to query the maps for certain keys or values?

On data ingest, does Splunk recognize maps?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

On data ingest, does Splunk recognize maps?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A