Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to list element by a specific value?

sdhiaeddine
Explorer
‎02-06-2023 08:09 AM

Hi,

I have this table of data:

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx
Jane 22 3 st xxxxx
Bryan 24 4 st xxxxx

 

I want to list only the elements having a specific age. Exp: list of person with Age=21

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx

 

Thanks for your help.

Labels (3)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:15 AM

Hi @sdhiaeddine,

if these ields are already correctly extracted you can put the condition in the main search:

index=your_index Age="21"
| table Name Age Address

if the fields aren0t already extracted, you should share some samples of your logs to create the extracting regex.

i hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) to be authonomous in this kind of searches

Ciao.

Giuseppe

0 Karma
Reply

sdhiaeddine
Explorer
‎02-06-2023 08:23 AM

Hi  @gcusello,

Actually I run this to extract the data from a json like this:

{
	"list_element": [
		{
			"Address": "3 st xxxxx",
			"Age": "22",
			"Name": "Jane"
		},
		{
			"Address": "2 st xxxxx",
			"Age": "21",
			"Name": "Elisabeth"
		},
		{
			"Address": "1 st xxxxx",
			"Age": "21",
			"Name": "Mark"
		}
	]
}



index=* | stats values(list_element) as list_element by database
| spath input=list_element
| table Name Age Address

I guess, I need to set a condition after the "spath"?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:27 AM

Hi @sdhiaeddine,

the spath ommand must be before the stats command:

index=* 
| spath 
| where Age="21"
| table Name Age Address

or

index=* 
| spath 
| stats max(Age) AS Age values(Address) AS Address BY Name
| where Age="21"
| table Name Age Address

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top