Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract info from nested data with specific parameter?

paulito
Explorer
‎04-13-2022 10:53 AM

Aternity Extraction.png

 

I need to extract the Activity Score and Application UXI Average but only when the Application Name is a certain name. 

It's a weird one for me because of the way data comes in. As you can see each event has multiple application names, activity scores, uxi averages and timeframes. So even when I specify for a certain app in a search, since the app name is in an event, I get the whole event which includes all the other apps and metrics.

I hope what I'm explaining is clear and any help would be appreciated. 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-13-2022 11:45 AM 
| spath value{} output=value
| mvexpand value
| spath input=value
| where APPLICATION_NAME="certain app"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-13-2022 11:45 AM 
| spath value{} output=value
| mvexpand value
| spath input=value
| where APPLICATION_NAME="certain app"
Reply
Solved! Jump to solution

paulito
Explorer
‎04-13-2022 12:23 PM

Works perfectly, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...