How to extract values of a particular field for a ...

tsm0099 · ‎10-27-2020

I have an event which is in json and it has a repeating field say "message"

Example:

{

"Message":[

{

"message":"xyz987"

},

{

"message":"abc123"

},

{

"message":"abc456"

},

{

"message":"abc567"

},

]

}

I have to form a table with the values of message that only starts with abc(i.e abc123, abc456, abc567) and exclude the other values(i.e xyz987)

How may I achieve this?

Thanks in advance

richgalloway · ‎10-27-2020

| makeresults | eval _raw="{
\"Message\":[
{
\"message\":\"xyz987\"
},
{
\"message\":\"abc123\"
},
{
\"message\":\"abc456\"
},
{
\"message\":\"abc567\"
},
]
}" | spath | mvexpand "Message{}.message"
| where match('Message{}.message',"^abc.*")

---
If this reply helps you, Karma would be appreciated.

tsm0099 · ‎10-27-2020

How do i form a table with those values?

How to extract values of a particular field for a json event.

field extraction

regex

table

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?