How to refer to JSON array object in a Splunk sear...

caagrawal · ‎02-29-2016

Hi,

I have a JSON data in following format. How can I access individual element of the array?

{ [-] 
    LICENSES: [ [-] 
      AFL and GPLv2+ 
      AFL or GPLv2 
      Apache 
      Apache 2.0 
 ]
}

If I write search: | table LICENSES{}, it prints all licenses, however, I want to access an individual element as in first license or 2nd license. If I do something like table LICESNES{0} or table LICENSES{}.{0} etc ..nothing works. Please help.

asimagu · ‎02-29-2016

As far as I know, Splunk extracts the Json data into fields and by default the field names get the name after its corresponding trace in the Json object.

So, in your case LICENSES is a multivalue field , so in order to access each value you could do it like this

 | eval firstValue=mvIndex(LICENSES,0)  | eval secondValue=mvIndex(LICENSES,1) ....

and then table the results

... | table firstValue secondValue

How to refer to JSON array object in a Splunk search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation