Solved: How to iterate over the values of a complex field?

Evgenii · ‎01-10-2023

The event has a field:

{
...
some_field: {
 key1: value1
 key2: value2
}
...
}

How to iterate over the values of "some_field" field?

For example I need to get max value.

I need something like this:

... | eval filed_max_value=max(map_values(some_field))

For map_value I get error: Error in 'EvalCommand': The 'map_values' function is unsupported or undefined.

Could you also explain how to use map_keys and map_values functions ?

bowesmana · ‎01-10-2023

Here's an example that uses foreach to iterate through the keys/values within somefield.

| makeresults
| eval _raw="{\"some_field\": {
\"key1\": 10,
\"key2\": 20,
\"key3\": 5,
\"key4\": 77,
\"key5\": 33,
}
}"
| spath
| foreach some_field.* [
  | eval max=max('<<FIELD>>', max), max_field_key=if('<<FIELD>>'=max, "<<MATCHSTR>>", max_field_key)
]

Note that if there are duplicate values, it will take the last field name as the max_field_key.

Anyway, hope this helps.

View solution in original post

Evgenii · ‎01-11-2023

Magic with

spath | foreach some_field.*

works.

Thanks a lot!

bowesmana · ‎01-10-2023

Also, those functions you reference are from DSP, not Splunk.

bowesmana · ‎01-10-2023

Here's an example that uses foreach to iterate through the keys/values within somefield.

| makeresults
| eval _raw="{\"some_field\": {
\"key1\": 10,
\"key2\": 20,
\"key3\": 5,
\"key4\": 77,
\"key5\": 33,
}
}"
| spath
| foreach some_field.* [
  | eval max=max('<<FIELD>>', max), max_field_key=if('<<FIELD>>'=max, "<<MATCHSTR>>", max_field_key)
]

Note that if there are duplicate values, it will take the last field name as the max_field_key.

Anyway, hope this helps.

How to iterate over the values of a complex field?

field extraction

fields

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...