Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- extract first value from json subarray
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kannu
Communicator
04-15-2020
01:07 AM
Hello Guys ,
I have one json event in which there is subarray so i want to create one field which will have first index value of array for example
{
"data":
{"task":"pullFrom",
"from_repo":"https://abc.mxz.com:8089",
"to_repo":"https://abc.mxzz.com:8089",
"to_repo_change_count":20008,
"asset_uri":["kannu","search","ui-prefs","search"]
}
}
in above event i wnat to create the field which will have value only "kannu" from subarray "asset_uri" .
I tried doing data.asset_uri[0] as a normal json parsing but splunk is giving error while doing like this
Thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-15-2020
01:55 AM
Hi @kannu,
Assuming your JSON is extracted correctly you could just do the following:
| eval first_value = mvindex('data.asset_uri{}', 0)
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-15-2020
02:33 AM
...
| rex "(?ms)asset_uri\":\[\"(?<asset_uri>[^\"]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-15-2020
01:55 AM
Hi @kannu,
Assuming your JSON is extracted correctly you could just do the following:
| eval first_value = mvindex('data.asset_uri{}', 0)
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kannu
Communicator
04-15-2020
02:34 AM
This one is simple , i tried using the same but dont know why it doesnt work for me may be single quote i forget to add .
but thanks for helping me in resolving the issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-15-2020
01:43 AM
Hi
Check this
| makeresults
| eval temp="{
\"data\":
{\"task\":\"pullFrom\",
\"from_repo\":\"https://abc.mxz.com:8089\",
\"to_repo\":\"https://abc.mxzz.com:8089\",
\"to_repo_change_count\":20008,
\"asset_uri\":[\"kannu\",\"search\",\"ui-prefs\",\"search\"]
}
}"
| spath input=temp path=data.asset_uri{} output=asset_uri
| eval asset_uri=mvindex(asset_uri,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kannu
Communicator
04-15-2020
02:34 AM
Thank you ravikumar
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
