Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a table from indexed nested array

nordstromemg
New Member
‎03-02-2020 01:52 PM

I have been banging my head against the wall for a while and would love some help. Imagine I have the two event logs and would like to create a table from them. The logs have an array value and I want the last item in that array and I want the message value. Additionally, I want a top-level from each event. So if I have the following two logs.

Event Log 1:

{
  "description": "My description",
  "param.response.tracking": [
    {
        "message": "My message"
    },
    {
        "message": "My other message"
    }
  ]
}

Event Log 2:

{
  "description": "My description 1",
  "param.response.tracking": [
    {
        "message": "My message 1"
    },
    {
        "message": "My other message 1"
    }
  ]
}

I want the resulting table:

description, message
"My description", "My other message"
"My description 1", "My other message 1"

I came to this question which is very close to what I want https://answers.splunk.com/answers/769708/how-to-access-a-property-on-the-last-element-in-an-1.html , but it doesn't work

For me, this would be: 

| spath output=result path=param.response.tracking{}
| eval res = mvindex(result,mvcount(result)-1)
| table description, res.message

Any help is appreciated.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-03-2020 12:41 PM 
your search
| spath
| rename param.response.tracking{}.* as *
| table description message
| eval message=mvindex(message, -1)
0 Karma
Reply

anmolpatel
Builder
‎03-02-2020 02:36 PM

You're on the right track. For what you're after, you need the following:

source="Untitled-1.json" index="test" sourcetype="_json"
| spath output=message path=param.response.tracking{}.message
| eval res = mvindex(message, mvcount(message) - 1)
| stats values(res) as res by description

this will give:
description res
My description My other message
My description 1 My other message 1

The only err is res.message. The eval returns a single value when it executes the mvindex, so there is no nested value.

0 Karma
Reply

nordstromemg
New Member
‎03-03-2020 11:52 AM

This doesn't work for me

0 Karma
Reply

anmolpatel
Builder
‎03-03-2020 01:32 PM

I had modified the path, have reset it back to what you're using. Check again.

0 Karma
Reply

nordstromemg
New Member
‎03-03-2020 02:43 PM

Still not working, for what it's worth this 

... | table param.result.tracking_details{}.message

returns
"My message"
"My other message"

"My message 1"
"My other message 1"

which is close, but I need the last item.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...