How do I list the events if there are more than 1 ...

graziaedu · ‎09-05-2022

how do i list the events that in an array has more than 1 item?

1) a:[ {"data1":"abc"},{"data1":"def"}]

2) a:[ {"data1":"abc"}]

3) a:[ {"data1":"abc"},{"data1":"def"}]

4) a:[ {"data1":"abc"}]

i want to list only events 1 and 3.

richgalloway · ‎09-05-2022

The first step is to find the elements in the array. I like to use rex for that.

| rex max_match=0 "(?<element>\{[^\}]+})"

The max_match option tells rex to collect all matching strings rather than just the first. I multi-value field will hold each match. Next we just need to count the number of matches and filter out the singletons.

| eval elementCount = mvcount(element)
| where elementCount > 1

---
If this reply helps you, Karma would be appreciated.

bowesmana · ‎09-05-2022

See this example

| makeresults 
| eval _raw="{\"a\":[ {\"data1\":\"abc\"},{\"data1\":\"def\"}]}
{\"a\":[ {\"data1\":\"abc\"}]}
{\"a\":[ {\"data1\":\"abc\"},{\"data1\":\"def\"}]}
{\"a\":[ {\"data1\":\"abc\"}]}"
| multikv noheader=t
| fields _raw 
| fields - _time
``` Above sets up your example data ```
| spath input=_raw
``` Assuming you now have validly parsed JSON - use mvcount() ```
| where mvcount('a{}.data1')>1

How do I list the events if there are more than 1 item in array?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

How do I list the events if there are more than 1 item in array?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...