Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Indexing Json Array field

galsegal
Explorer
‎07-19-2020 07:20 AM

Hey, 

 

Can you please assist me with how to index this field:

galsegal_0-1595168246662.png

What I'm trying to do is to know which index has the 'true' value in it and take action accordingly.

For example , in pseudo code:

if(message.anomaly.features{}.anomaly[0] == true 
then newfield = 0

Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-19-2020 07:40 AM

@galsegal Try adding the following condition to find whether true value is present within JSON field message.anomaly.features.anomaly{} 

| eval isTrue=if(('message.anomaly.features.anomaly{}'="true"),1,0)

The field isTrue evaluates to 1 if there is true value identified in respective field. If not it evaluates to 0.

PS: If you want to filter only events with one of the values as true instead of eval you can directly use search i.e. 

| search "message.anomaly.features.anomaly{}"="true"

Following is a run anywhere example based on one of the sample data provided.

| makeresults 
| eval _raw="
{
   \"message\":{
      \"anomaly\":{
         \"features\":{
            \"anomaly\":[
               \"false\",
               \"true\",
               \"false\",
               \"false\"
                ]
         }
      }
   }
}" 
| append 
    [| makeresults 
    | eval _raw="
{
   \"message\":{
      \"anomaly\":{
         \"features\":{
            \"anomaly\":[
               \"false\",
               \"false\",
               \"false\",
               \"false\"
                    ]
         }
      }
   }
}"] 
| spath 
| fields - _raw _time 
| eval isTrue=if(('message.anomaly.features.anomaly{}'="true"),1,0)

 Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-19-2020 07:40 AM

@galsegal Try adding the following condition to find whether true value is present within JSON field message.anomaly.features.anomaly{} 

| eval isTrue=if(('message.anomaly.features.anomaly{}'="true"),1,0)

The field isTrue evaluates to 1 if there is true value identified in respective field. If not it evaluates to 0.

PS: If you want to filter only events with one of the values as true instead of eval you can directly use search i.e. 

| search "message.anomaly.features.anomaly{}"="true"

Following is a run anywhere example based on one of the sample data provided.

| makeresults 
| eval _raw="
{
   \"message\":{
      \"anomaly\":{
         \"features\":{
            \"anomaly\":[
               \"false\",
               \"true\",
               \"false\",
               \"false\"
                ]
         }
      }
   }
}" 
| append 
    [| makeresults 
    | eval _raw="
{
   \"message\":{
      \"anomaly\":{
         \"features\":{
            \"anomaly\":[
               \"false\",
               \"false\",
               \"false\",
               \"false\"
                    ]
         }
      }
   }
}"] 
| spath 
| fields - _raw _time 
| eval isTrue=if(('message.anomaly.features.anomaly{}'="true"),1,0)

 Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

galsegal
Explorer
‎07-19-2020 07:50 AM

Hi niketnilay,

 

Thanks for stepping in, appreciate the prompt response.

I might have phrased my question not so clear, what I’m trying to do is Ivactually need to know which of the indexes has the 'true' value in this. 

The best solution for me will be some kind of way to iterate this structure like in programming-

message.anomaly.features.anomaly{}[0],message.anomaly.features.anomaly{}[1] and so on..

Is this something that is possible to accomplish using splunk?

 

Thanks again,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...