Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best tool in the toolkit to access and correlate multivalue fields

ft_kd02
Path Finder
‎09-07-2023 03:22 PM

Hi all, 

I've worked with multivalue fields in a limited capacity and I'm having trouble with a particular instance. Generally, multivalue fields I've worked have been small or had static indexing, such that I could use mvindexing or simple renaming to extract the value I needed. I've run across a situation in which I have a JSON array called 'tokenData' that is dynamically populated with smaller arrays of metadata such that the index is not static. 

Example:

ft_kd02_0-1694125013243.png


There will be hundreds of these in the array in a single splunk event. What I need to do is access these fields and extract the tokenData where the tokenId is a specific value, and compare that with other elements of the search. 

Example: 

tokenId: 105
tokenLength:70
tokenData: blahblah

I need to extract this into a field and check it's value within the context of an alert. There will be some processing of the actual field as well, but that should be easy if I can get the value, correlated with the ID. 

Things I know: tokenId needed will always be static, tokenLength of said tokenId will always be static, tokenData will change depending on the situation. 

What is the best way to get this value consistently, when the array is not static? I'd need the value of the field tokenData wherever tokenId=target. Hope this was clear.

Thanks





 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-07-2023 04:56 PM

You did not show the top level nodes. (And it's always a bad idea to use screenshots to show data; use raw text.)

If your upper array node is indeed called tokenData, Splunk should have something like tokenData{}.tokenData, tokenData{}.tokenId, etc.  To spread them out, first reach to that array with spath.  That will convert the JSON array to ordinary multivalue tokenData{} so you can use mvexpand.  Lastly, use spath again with each element to extract single value tokenData, tokenId.

| spath path=tokenData{}
| mvexpand tokenData{}
| spath input=tokenData{}

Hope this helps.

Tags (2)
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...