Hello Guys ,
I have one json event in which there is subarray so i want to create one field which will have first index value of array for example
{
"data":
{"task":"pullFrom",
"from_repo":"https://abc.mxz.com:8089",
"to_repo":"https://abc.mxzz.com:8089",
"to_repo_change_count":20008,
"asset_uri":["kannu","search","ui-prefs","search"]
}
}
in above event i wnat to create the field which will have value only "kannu" from subarray "asset_uri" .
I tried doing data.asset_uri[0] as a normal json parsing but splunk is giving error while doing like this
Thanks in advance
Hi @kannu,
Assuming your JSON is extracted correctly you could just do the following:
| eval first_value = mvindex('data.asset_uri{}', 0)
Regards,
J
...
| rex "(?ms)asset_uri\":\[\"(?<asset_uri>[^\"]+)"
Hi @kannu,
Assuming your JSON is extracted correctly you could just do the following:
| eval first_value = mvindex('data.asset_uri{}', 0)
Regards,
J
This one is simple , i tried using the same but dont know why it doesnt work for me may be single quote i forget to add .
but thanks for helping me in resolving the issue
Hi
Check this
| makeresults
| eval temp="{
\"data\":
{\"task\":\"pullFrom\",
\"from_repo\":\"https://abc.mxz.com:8089\",
\"to_repo\":\"https://abc.mxzz.com:8089\",
\"to_repo_change_count\":20008,
\"asset_uri\":[\"kannu\",\"search\",\"ui-prefs\",\"search\"]
}
}"
| spath input=temp path=data.asset_uri{} output=asset_uri
| eval asset_uri=mvindex(asset_uri,0)
Thank you ravikumar