Splunk Search

How to search indexed JSON array output for objects that match a distinct name/value pair

Path Finder

I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array):


"_links" : {

"self" : {"href" : "/mgmt/status/default/ObjectStatus"},

"doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}},

"ObjectStatus" : [{

"Class" : "DNSNameService",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "dns",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}, {

"Class" : "CRLFetch",

"OpState" : "down",

"AdminState" : "enabled",

"Name" : "crl",

"EventCode" : "0x00360010",

"ErrorCode" : "No CRLs configured",

"ConfigState" : "saved"}, {

"Class" : "Statistics",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "statistics",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}]}


I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers):

    KV_MODE = none

Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values):








Here's my dilemma. I would like to identify objects in a particular state. For example:  I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this...

    sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState"

...but this returns every Class from each event, regardless of OpState being "up" or "down".

What adjustments are required in order to get the output I'm looking for?

Labels (1)
0 Karma


@beetlegeuse , your query looks correct , but have you tried with "ObjectStatus{}.OpState"="*down*"  

to rule any possibility of spaces in the value.



0 Karma

Ultra Champion
index=_internal | head 1| fields _raw
| eval _raw="{\"_links\":{\"self\":{\"href\":\"/mgmt/status/default/ObjectStatus\"},\"doc\":{\"href\":\"/mgmt/docs/status/ObjectStatus\"}},\"ObjectStatus\":[{\"Class\":\"DNSNameService\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"dns\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"},{\"Class\":\"CRLFetch\",\"OpState\":\"down\",\"AdminState\":\"enabled\",\"Name\":\"crl\",\"EventCode\":\"0x00360010\",\"ErrorCode\":\"No CRLs configured\",\"ConfigState\":\"saved\"},{\"Class\":\"Statistics\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"statistics\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"}]}"
| spath ObjectStatus{} output=ObjectStatus
| spath
| stats values(links.*) as * by ObjectStatus
| spath input=ObjectStatus
| fields - ObjectStatus
| search OpState=down
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...