Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- extract first value from json subarray
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kannu
Communicator
04-15-2020
01:07 AM
Hello Guys ,
I have one json event in which there is subarray so i want to create one field which will have first index value of array for example
{
"data":
{"task":"pullFrom",
"from_repo":"https://abc.mxz.com:8089",
"to_repo":"https://abc.mxzz.com:8089",
"to_repo_change_count":20008,
"asset_uri":["kannu","search","ui-prefs","search"]
}
}
in above event i wnat to create the field which will have value only "kannu" from subarray "asset_uri" .
I tried doing data.asset_uri[0] as a normal json parsing but splunk is giving error while doing like this
Thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-15-2020
01:55 AM
Hi @kannu,
Assuming your JSON is extracted correctly you could just do the following:
| eval first_value = mvindex('data.asset_uri{}', 0)
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
04-15-2020
02:33 AM
...
| rex "(?ms)asset_uri\":\[\"(?<asset_uri>[^\"]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-15-2020
01:55 AM
Hi @kannu,
Assuming your JSON is extracted correctly you could just do the following:
| eval first_value = mvindex('data.asset_uri{}', 0)
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kannu
Communicator
04-15-2020
02:34 AM
This one is simple , i tried using the same but dont know why it doesnt work for me may be single quote i forget to add .
but thanks for helping me in resolving the issue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-15-2020
01:43 AM
Hi
Check this
| makeresults
| eval temp="{
\"data\":
{\"task\":\"pullFrom\",
\"from_repo\":\"https://abc.mxz.com:8089\",
\"to_repo\":\"https://abc.mxzz.com:8089\",
\"to_repo_change_count\":20008,
\"asset_uri\":[\"kannu\",\"search\",\"ui-prefs\",\"search\"]
}
}"
| spath input=temp path=data.asset_uri{} output=asset_uri
| eval asset_uri=mvindex(asset_uri,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kannu
Communicator
04-15-2020
02:34 AM
Thank you ravikumar
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
