How to refer to JSON array object in a Splunk sear...

caagrawal · ‎02-29-2016

Hi,

I have a JSON data in following format. How can I access individual element of the array?

{ [-] 
    LICENSES: [ [-] 
      AFL and GPLv2+ 
      AFL or GPLv2 
      Apache 
      Apache 2.0 
 ]
}

If I write search: | table LICENSES{}, it prints all licenses, however, I want to access an individual element as in first license or 2nd license. If I do something like table LICESNES{0} or table LICENSES{}.{0} etc ..nothing works. Please help.

asimagu · ‎02-29-2016

As far as I know, Splunk extracts the Json data into fields and by default the field names get the name after its corresponding trace in the Json object.

So, in your case LICENSES is a multivalue field , so in order to access each value you could do it like this

 | eval firstValue=mvIndex(LICENSES,0)  | eval secondValue=mvIndex(LICENSES,1) ....

and then table the results

... | table firstValue secondValue

How to refer to JSON array object in a Splunk search?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to refer to JSON array object in a Splunk search?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem