How to filter first array element?

andreaantonioni · ‎02-18-2022

My data is something like this:

stackTrace: [
{
   inProject: false,
   file: "/path/to/file.c"
},
{
   inProject: true,
   file: "/path/to/file.c"
}, 
{
   inProject: false,
   file: "/path/to/file.c"
}
]

I'd like to get the list of events where the first element that has inProject=true contains "file.c" in file.

PickleRick · ‎02-18-2022

Well, the wording here is a little tricky because if reading your request literarily, something like this:

stackTrace: [
{
   inProject: true,
   file: "/path/to/otherfile.c"
},
{
   inProject: true,
   file: "/path/to/file.c"
}
]

Should not match. (Bonus question about the filename matching but i suppose you want the literal "file.c" as whole filename, so the "otherfile.c" is something you don't want. Otherwise of course you can adjust the example accordingly.

somesoni2 · ‎02-18-2022

If your data is indexed and parsed correctly (as valid json element), something like this should work.

Your current search which includes field with name stackTrace{}.inProject and stackTrace{}.file
| where mvindex('stackTrace{}.inProject',0)="false" AND like('stackTrace{}.inProject',"%file.c")

ITWhisperer · ‎02-18-2022

| spath stackTrace{} output=stackTrace
| mvexpand stackTrace
| spath input=stackTrace
| where inProject="true" AND match(file,"file\.c")

How to filter first array element?

eval

fields

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to filter first array element?

eval

fields

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25