How to access a property on the last element in an...

marcovdlinden · ‎08-30-2019

Hi I have json events that have an array with objects and i want to extract a property from it

Some pseudo search code

| spath output=LastResult  path=message.results{-1}
| table LastResult.timestamp

{-1} indexing does not seem to work in spath

| spath output=Results  path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp

Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.

my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.

Is there a good way to do this?

,I got a json that with arrays in events.
I'd like to access a property of the last element in such array

| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp

but {-1} does not seem to work for indexing the last element

| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp

mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work

Is there a way to do this?

poete · ‎08-30-2019

Hello @marcovdlinden ,

check this. It should solve you problem.

| makeresults 
| eval _raw = "{\"message\":{\"results\":[1,2,3], \"otherFields\":0}"
| spath output=result message.results{}
| eval res = mvindex(result,mvcount(result)-1)

jawaharas · ‎08-30-2019

Can you provide sample JSON?

How to access a property on the last element in an array,accessing last element in json array?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!