Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to list element by a specific value?

sdhiaeddine
Explorer
‎02-06-2023 08:09 AM

Hi,

I have this table of data:

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx
Jane 22 3 st xxxxx
Bryan 24 4 st xxxxx

 

I want to list only the elements having a specific age. Exp: list of person with Age=21

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx

 

Thanks for your help.

Labels (3)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:15 AM

Hi @sdhiaeddine,

if these ields are already correctly extracted you can put the condition in the main search:

index=your_index Age="21"
| table Name Age Address

if the fields aren0t already extracted, you should share some samples of your logs to create the extracting regex.

i hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) to be authonomous in this kind of searches

Ciao.

Giuseppe

0 Karma
Reply

sdhiaeddine
Explorer
‎02-06-2023 08:23 AM

Hi  @gcusello,

Actually I run this to extract the data from a json like this:

{
	"list_element": [
		{
			"Address": "3 st xxxxx",
			"Age": "22",
			"Name": "Jane"
		},
		{
			"Address": "2 st xxxxx",
			"Age": "21",
			"Name": "Elisabeth"
		},
		{
			"Address": "1 st xxxxx",
			"Age": "21",
			"Name": "Mark"
		}
	]
}



index=* | stats values(list_element) as list_element by database
| spath input=list_element
| table Name Age Address

I guess, I need to set a condition after the "spath"?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:27 AM

Hi @sdhiaeddine,

the spath ommand must be before the stats command:

index=* 
| spath 
| where Age="21"
| table Name Age Address

or

index=* 
| spath 
| stats max(Age) AS Age values(Address) AS Address BY Name
| where Age="21"
| table Name Age Address

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...