Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to list element by a specific value?

sdhiaeddine
Explorer
‎02-06-2023 08:09 AM

Hi,

I have this table of data:

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx
Jane 22 3 st xxxxx
Bryan 24 4 st xxxxx

 

I want to list only the elements having a specific age. Exp: list of person with Age=21

Name Age Address
Mark 21 1 st xxxxx
Elisabeth 21 2 st xxxxx

 

Thanks for your help.

Labels (3)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:15 AM

Hi @sdhiaeddine,

if these ields are already correctly extracted you can put the condition in the main search:

index=your_index Age="21"
| table Name Age Address

if the fields aren0t already extracted, you should share some samples of your logs to create the extracting regex.

i hint to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) to be authonomous in this kind of searches

Ciao.

Giuseppe

0 Karma
Reply

sdhiaeddine
Explorer
‎02-06-2023 08:23 AM

Hi  @gcusello,

Actually I run this to extract the data from a json like this:

{
	"list_element": [
		{
			"Address": "3 st xxxxx",
			"Age": "22",
			"Name": "Jane"
		},
		{
			"Address": "2 st xxxxx",
			"Age": "21",
			"Name": "Elisabeth"
		},
		{
			"Address": "1 st xxxxx",
			"Age": "21",
			"Name": "Mark"
		}
	]
}



index=* | stats values(list_element) as list_element by database
| spath input=list_element
| table Name Age Address

I guess, I need to set a condition after the "spath"?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 08:27 AM

Hi @sdhiaeddine,

the spath ommand must be before the stats command:

index=* 
| spath 
| where Age="21"
| table Name Age Address

or

index=* 
| spath 
| stats max(Age) AS Age values(Address) AS Address BY Name
| where Age="21"
| table Name Age Address

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...