Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter by if a field exist?

YatMan
Explorer
‎12-12-2022 11:08 PM

My sample events look like this , API logs

 

{
   location:  Southeast Asia,  
   properties:  {  
	backendMethod:  GET  
	errors:  [ 
	    {some huge nested object},
	    {some huge nested object}
       ]
   }
}

 

I want to search only the events with the "errors" field. If the API is successful, it does not have this "errors" field, and I don't want to search them.

I have tried
{baseSearch}  | where mvcount('properties.errors') > 0 , this return nothing
{baseSearch}  | where mvcount("properties.errors") > 0 , returning even the events without the "errors" field
{baseSearch}  | where isnotnull('properties.errors'), this return nothing
{baseSearch}  | where isnotnull("properties.errors"),returning even the events without the "errors" field
{baseSearch}  |  "properties.errors"=*.  ,  this return nothing

I just need something simple like {baseSearch}  |  where exist(properties.errors), what is the most simple way


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:20 AM

Several possibilities.  One is to find a common subnode in those huge nested objects.  For example, if 'id' is common in the array, do

| where isnotnull('properties.errors{}.id')

Another could be to run a second spath on the error (which can be beneficial for further processing, anyway)

| spath path=properties.errors{}
| where isnotnull('properties.errors{}')

(As always, remember to add {} to represent a JSON array.)  Hope this helps.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

YatMan
Explorer
‎12-13-2022 03:32 PM

This is working, thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-13-2022 02:20 AM

Several possibilities.  One is to find a common subnode in those huge nested objects.  For example, if 'id' is common in the array, do

| where isnotnull('properties.errors{}.id')

Another could be to run a second spath on the error (which can be beneficial for further processing, anyway)

| spath path=properties.errors{}
| where isnotnull('properties.errors{}')

(As always, remember to add {} to represent a JSON array.)  Hope this helps.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...