Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Best tool in the toolkit to access and correlate multivalue fields

ft_kd02
Path Finder
‎09-07-2023 03:22 PM

Hi all, 

I've worked with multivalue fields in a limited capacity and I'm having trouble with a particular instance. Generally, multivalue fields I've worked have been small or had static indexing, such that I could use mvindexing or simple renaming to extract the value I needed. I've run across a situation in which I have a JSON array called 'tokenData' that is dynamically populated with smaller arrays of metadata such that the index is not static. 

Example:

ft_kd02_0-1694125013243.png


There will be hundreds of these in the array in a single splunk event. What I need to do is access these fields and extract the tokenData where the tokenId is a specific value, and compare that with other elements of the search. 

Example: 

tokenId: 105
tokenLength:70
tokenData: blahblah

I need to extract this into a field and check it's value within the context of an alert. There will be some processing of the actual field as well, but that should be easy if I can get the value, correlated with the ID. 

Things I know: tokenId needed will always be static, tokenLength of said tokenId will always be static, tokenData will change depending on the situation. 

What is the best way to get this value consistently, when the array is not static? I'd need the value of the field tokenData wherever tokenId=target. Hope this was clear.

Thanks





 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-07-2023 04:56 PM

You did not show the top level nodes. (And it's always a bad idea to use screenshots to show data; use raw text.)

If your upper array node is indeed called tokenData, Splunk should have something like tokenData{}.tokenData, tokenData{}.tokenId, etc.  To spread them out, first reach to that array with spath.  That will convert the JSON array to ordinary multivalue tokenData{} so you can use mvexpand.  Lastly, use spath again with each element to extract single value tokenData, tokenId.

| spath path=tokenData{}
| mvexpand tokenData{}
| spath input=tokenData{}

Hope this helps.

Tags (2)
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...