Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to list element by a specific value?

sdhiaeddine
Explorer
‎02-06-2023 08:09 AM

Hi,

I have this table of data:

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx
Jane 22 3 st xxxxx
Bryan 24 4 st xxxxx

 

I want to list only the elements having a specific age. Exp: list of person with Age=21

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx

 

Thanks for your help.

Labels (3)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:15 AM

Hi @sdhiaeddine,

if these ields are already correctly extracted you can put the condition in the main search:

index=your_index Age="21"
| table Name Age Address

if the fields aren0t already extracted, you should share some samples of your logs to create the extracting regex.

i hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) to be authonomous in this kind of searches

Ciao.

Giuseppe

0 Karma
Reply

sdhiaeddine
Explorer
‎02-06-2023 08:23 AM

Hi  @gcusello,

Actually I run this to extract the data from a json like this:

{
	"list_element": [
		{
			"Address": "3 st xxxxx",
			"Age": "22",
			"Name": "Jane"
		},
		{
			"Address": "2 st xxxxx",
			"Age": "21",
			"Name": "Elisabeth"
		},
		{
			"Address": "1 st xxxxx",
			"Age": "21",
			"Name": "Mark"
		}
	]
}



index=* | stats values(list_element) as list_element by database
| spath input=list_element
| table Name Age Address

I guess, I need to set a condition after the "spath"?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:27 AM

Hi @sdhiaeddine,

the spath ommand must be before the stats command:

index=* 
| spath 
| where Age="21"
| table Name Age Address

or

index=* 
| spath 
| stats max(Age) AS Age values(Address) AS Address BY Name
| where Age="21"
| table Name Age Address

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
li.common.scroll-to.top