How do I list the events if there are more than 1 ...

graziaedu · ‎09-05-2022

how do i list the events that in an array has more than 1 item?

1) a:[ {"data1":"abc"},{"data1":"def"}]

2) a:[ {"data1":"abc"}]

3) a:[ {"data1":"abc"},{"data1":"def"}]

4) a:[ {"data1":"abc"}]

i want to list only events 1 and 3.

richgalloway · ‎09-05-2022

The first step is to find the elements in the array. I like to use rex for that.

| rex max_match=0 "(?<element>\{[^\}]+})"

The max_match option tells rex to collect all matching strings rather than just the first. I multi-value field will hold each match. Next we just need to count the number of matches and filter out the singletons.

| eval elementCount = mvcount(element)
| where elementCount > 1

---
If this reply helps you, Karma would be appreciated.

bowesmana · ‎09-05-2022

See this example

| makeresults 
| eval _raw="{\"a\":[ {\"data1\":\"abc\"},{\"data1\":\"def\"}]}
{\"a\":[ {\"data1\":\"abc\"}]}
{\"a\":[ {\"data1\":\"abc\"},{\"data1\":\"def\"}]}
{\"a\":[ {\"data1\":\"abc\"}]}"
| multikv noheader=t
| fields _raw 
| fields - _time
``` Above sets up your example data ```
| spath input=_raw
``` Assuming you now have validly parsed JSON - use mvcount() ```
| where mvcount('a{}.data1')>1

How do I list the events if there are more than 1 item in array?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How do I list the events if there are more than 1 item in array?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem