How to extract and download a field of array from ...

hantaliu · ‎06-22-2022

I have an event which is constructed like the following:

{
   name: string,
   time: string,
   duration: string,
   logs: JSONObjects[]
}

When I download the event, I just want the logs which is everything inside [] but without the head part which is "{logs:" and the last "}"

To do that how do I construct the search query?

rymundo_splunk · ‎06-22-2022

Hi, you could use something like spath to process the json and then pick the logs array out of the resultant object. Maybe something like this:

|makeresults
| eval json="{\"name\":\"json_name\", \"logs\":[{\"name\":\"log1\"}, { \"name\":\"log2\"}]}",
output_log_array=spath(json,"logs{}"),
output_log_names=spath(json,"logs{}.name")

I added a second example with output_log_names to show how you would extract particular fields within the array json into their own multivalued field.

How to extract and download a field of array from an event?

What’s New & Next in Splunk SOAR

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

Are you a member of the Splunk Community?

How to extract and download a field of array from an event?

What’s New & Next in Splunk SOAR

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know