- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a table from indexed nested array
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a table from indexed nested array
I have been banging my head against the wall for a while and would love some help. Imagine I have the two event logs and would like to create a table from them. The logs have an array value and I want the last item in that array and I want the message value. Additionally, I want a top-level from each event. So if I have the following two logs.
Event Log 1:
{
"description": "My description",
"param.response.tracking": [
{
"message": "My message"
},
{
"message": "My other message"
}
]
}
Event Log 2:
{
"description": "My description 1",
"param.response.tracking": [
{
"message": "My message 1"
},
{
"message": "My other message 1"
}
]
}
I want the resulting table:
description, message
"My description", "My other message"
"My description 1", "My other message 1"
I came to this question which is very close to what I want https://answers.splunk.com/answers/769708/how-to-access-a-property-on-the-last-element-in-an-1.html , but it doesn't work
For me, this would be:
| spath output=result path=param.response.tracking{}
| eval res = mvindex(result,mvcount(result)-1)
| table description, res.message
Any help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your search
| spath
| rename param.response.tracking{}.* as *
| table description message
| eval message=mvindex(message, -1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're on the right track. For what you're after, you need the following:
source="Untitled-1.json" index="test" sourcetype="_json"
| spath output=message path=param.response.tracking{}.message
| eval res = mvindex(message, mvcount(message) - 1)
| stats values(res) as res by description
this will give:
description res
My description My other message
My description 1 My other message 1
The only err is res.message. The eval returns a single value when it executes the mvindex, so there is no nested value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't work for me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had modified the path, have reset it back to what you're using. Check again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still not working, for what it's worth this
... | table param.result.tracking_details{}.message
returns
"My message"
"My other message"
"My message 1"
"My other message 1"
which is close, but I need the last item.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
