Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to access a property on the last element in an array,accessing last element in json array?

marcovdlinden
New Member
‎08-30-2019 03:23 AM

Hi I have json events that have an array with objects and i want to extract a property from it

Some pseudo search code

| spath output=LastResult  path=message.results{-1}
| table LastResult.timestamp

{-1} indexing does not seem to work in spath

| spath output=Results  path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp

Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.

my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.

Is there a good way to do this?

,I got a json that with arrays in events.
I'd like to access a property of the last element in such array

| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp

but {-1} does not seem to work for indexing the last element

| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp

mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work

Is there a way to do this?

0 Karma
Reply

poete
Builder
‎08-30-2019 07:33 AM

Hello @marcovdlinden ,

check this. It should solve you problem.

| makeresults 
| eval _raw = "{\"message\":{\"results\":[1,2,3], \"otherFields\":0}"
| spath output=result message.results{}
| eval res = mvindex(result,mvcount(result)-1)
Reply

jawaharas
Motivator
‎08-30-2019 05:45 AM

Can you provide sample JSON?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...