Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search against multiple elements

47024
New Member
‎11-20-2019 08:52 AM

I'm trying to capture occurrences when multiple criteria are true in an event where elements can exist multiple times in the message.

For example, with the below event I want to capture how often events have an element that is both id=A and width>600.

Because there are multiple walls I can easily filter when any element has an id=A or a width>600, but I cannot figure out how to filter where both criteria are met.

Example message below:

elements: [
   {
      id: A
      width: 585
   }
   {
      id: B
      width: 605
   }
]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aberkow
Builder
‎11-20-2019 01:07 PM

You can either leverage the spath command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Spath to make the data easier to work with, or look at the answer posted here: https://answers.splunk.com/answers/784418/dynamic-loop-through-a-json-array-looking-for-trig.html#an...

Essentially, you need to create a pairing between id and width, separate them into their own rows, index them out, and then run your search:

{code}
your_base_search
| eval id_zip_width=mvzip(id,width)
| mvexpand id_zip_width
| eval id_zip_width=split(id_zip_width,",")
| eval id=mvindex(id_zip_width,0)
| eval width=mvindex(id_zip_width,1)
| search id="A" and width>600
{code}

Hope this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-20-2019 02:46 PM

Like this:

... | eval _raw = mvzip(id, width, "=")
| kv
| where A>600
0 Karma
Reply
Solved! Jump to solution
Solution

aberkow
Builder
‎11-20-2019 01:07 PM

You can either leverage the spath command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Spath to make the data easier to work with, or look at the answer posted here: https://answers.splunk.com/answers/784418/dynamic-loop-through-a-json-array-looking-for-trig.html#an...

Essentially, you need to create a pairing between id and width, separate them into their own rows, index them out, and then run your search:

{code}
your_base_search
| eval id_zip_width=mvzip(id,width)
| mvexpand id_zip_width
| eval id_zip_width=split(id_zip_width,",")
| eval id=mvindex(id_zip_width,0)
| eval width=mvindex(id_zip_width,1)
| search id="A" and width>600
{code}

Hope this helps!

0 Karma
Reply
Solved! Jump to solution

47024
New Member
‎11-22-2019 06:19 AM

This worked! Thank you very much.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-22-2019 07:49 AM

Be sure to try mine; it should scale better and is much shorter.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...