Re: How to do loop on array

bhanusaketi · ‎12-13-2022

How to loop the array values after split with delimiter

| eval json="{"key1":"key1value","key2":"key2value","key3":"key3value","key4":"key4Value" }"

| eval keyNames ="key1,key2,key3,key4" // key names can add or remove based on search string the requirement

| eval keys=split(keyNames ,";")

How to loop these keys and perform some operation.

I have tired with some MV commands but no luck.

Example:

| eval count = mvcount(keys)

| streamstats count as counter

| eval jsonKey= mvindex(keys,count) | eval keyValue = json_extract(json, jsonKey)

I am not sure how to achieve this use case, can some one please help me on it.

ITWhisperer · ‎12-13-2022

SPL is not a procedural language so there isn't a "loop through" construct per se. However, it depends on what it is you are trying to achieve as to whether there is another way to do it. For example, if you want to simply extract the key-value pairs from the json string use spath

| eval json="{\"key1\":\"key1value\",\"key2\":\"key2value\",\"key3\":\"key3value\",\"key4\":\"key4Value\" }"
| spath input=json

How to do loop on array?

proactive Splunk component monitoring

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation