How to retrieve one field from multiple responses?

greeshmak · ‎04-19-2017

I'm trying to retrieve a field from a response:

here is the example:

response=[{"code":0,"count":1,"mobile":"123456",},{"code":0,"count":2,mobile":"67891011",},{"code":0,"count":1,"mobile":"234567"},{"code":0,"count":1,"mobile":"2765432"},{"code":0,"count":1,"mobile":"8901234"}]}

I want to extract the mobile number from all braces, If i use extraction using kvdelim and pairdelim,I'm not able to extract all values, it is returning only first mobile value.

Can someone suggest how to extract every mobile number from the response.

Thanks in advance.

gokadroid · ‎04-19-2017

Since in you sample data, the mobile number comes always after keyword mobile however the " aren't always proper around it hence how about trying this:

your query to return the field response
| rex field=response max_match=0 "mobile(\D+)(?<mob>[\d]+)"
| table mob, response

This will create a multi-value field mob which will have all the mobile phone numbers which can be then used with mvexpand to tabulate or work upon something like below:

your query to return the field response
| rex field=response max_match=0 "mobile(\D+)(?<mob>[\d]+)"
| mvexpand mob
| table mob, response

How to retrieve one field from multiple responses?

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

New Year, New Changes for Splunk Certifications

Join the Conversation

How to retrieve one field from multiple responses?

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

New Year, New Changes for Splunk Certifications