Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

json array searching

Maurice
Explorer
‎07-15-2021 06:59 AM

Hi, 

I am trying to return results if an item in the array has both values set to specific values.

ie bu = "blob" and disp="enforce" on the one array item

However,  my search seems to happen across items.

 

|makeresults
|eval _raw ="{
\"sp_v\":[
{\"bu\":\"blob\",\"disp\":\"enforce\"},
{\"bu\":\"inline\",\"disp\":\"report\"}
]
}"
| spath
| search sp_v{}.bu=blob AND sp_v{}.disp=report

This is returning result as the first item has 'blob' and the second has 'report'.

I would not expect any results in this search

Would appreciate any help,

Kind Regards,

Maurice

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 08:40 AM

@Maurice 

If you have multiple fields then I suggest this solution.

|makeresults
|eval _raw ="{
\"sp_v\":[
{\"bu\":\"blob\",\"disp\":\"enforce\", \"an\":\"test\"},
{\"bu\":\"inline\",\"disp\":\"report\", \"an\":\"another\"}
]
}"
| spath path=sp_v{} output=data | stats count by data | rename data as _raw | extract 
| where bu="blob" AND disp="enforce" AND an="test"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 07:48 AM

@Maurice 

Can you please try this?

YOUR_SEARCH
| spath
| rename sp_v{}.* as *
| eval t = mvzip(bu,disp) | mvexpand t| eval bu=mvindex(split(t,","),0),disp=mvindex(split(t,","),1)
| where bu="blob" AND disp="report"

 

My Sample Search :

|makeresults
|eval _raw ="{
\"sp_v\":[
{\"bu\":\"blob\",\"disp\":\"enforce\"},
{\"bu\":\"inline\",\"disp\":\"report\"}
]
}"
| spath
| rename sp_v{}.* as *
| eval t = mvzip(bu,disp) | mvexpand t| eval bu=mvindex(split(t,","),0),disp=mvindex(split(t,","),1)
| where bu="blob" AND disp="report"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

Maurice
Explorer
‎07-15-2021 08:36 AM

Thanks KV,

 That works great.

 My only issue is that in my dashboard I am building up this query using inputs (for most properties on the array).

So there could be up to 7 or 8 properties to search on.

I notice from the docs that mvzip only works with 2 properties by default. so I tried with 3 which worked(see below):

|makeresults
|eval _raw ="{
\"sp_v\":[
{\"bu\":\"blob\",\"disp\":\"enforce\", \"an\":\"test\"},
{\"bu\":\"inline\",\"disp\":\"report\", \"an\":\"another\"}
]
}"
| spath
| rename sp_v{}.* as *
| eval t = mvzip(mvzip(bu,disp), an)
| mvexpand t
| eval bu=mvindex(split(t,","),0),disp=mvindex(split(t,","),1), an=mvindex(split(t,","),2)
| where bu="blob" AND disp="enforce" AND an="test"

 

I'd imagine the code would become hard to read as I have to nest mvzip inside itself and also change the index

Do you know of a more readable way it accomplish this with  more properties?

Kind regards,

Maurice

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 08:40 AM

@Maurice 

If you have multiple fields then I suggest this solution.

|makeresults
|eval _raw ="{
\"sp_v\":[
{\"bu\":\"blob\",\"disp\":\"enforce\", \"an\":\"test\"},
{\"bu\":\"inline\",\"disp\":\"report\", \"an\":\"another\"}
]
}"
| spath path=sp_v{} output=data | stats count by data | rename data as _raw | extract 
| where bu="blob" AND disp="enforce" AND an="test"

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution

Maurice
Explorer
‎07-16-2021 04:00 AM

Thanks KV,

That looks like much more maintainable code. 😀

 One last think, I wanted to create a timechart also off the data but it fails once i use a real index instead of make results.

I am presuming it has something to do with _time not being in the result set:

index=myIndex source=mySource  spath path=sp_v{} output=data | stats count by data | rename data as _raw | extract | timechart span=1d count(bu)  useother=f usenull=f

 

Any ideas?

Kind Regards,

Maurice

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-16-2021 04:03 AM

@Maurice 

For timechart try this.

index=myIndex source=mySource 
| spath path=sp_v{} output=data 
| stats count by _time data 
| rename data as _raw | extract 
| timechart span=1d count(bu)  useother=f usenull=f

 

🙂 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...