Solved: Retrieve result from list

Nidd · ‎02-08-2021

I have a field in log like:

"policies":["Test1"]

for which I am not able to search through the keyword when I have the query:

index=myindex host=myhost policies=Test1

Since policies is a list and I cant be able to directly search it.

Is there any specific way I can search for inputs available in a list?

scelikok · ‎02-09-2021

Hi @Nidd,

Can you please try below;

index=myindex host=myhost policies{}=Test1

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

isoutamo · ‎02-09-2021

Hi

based on your example you probably have an event which is JSON or partially has JSON? Then you could do e.g.

index=_internal earliest=-1m
| head 1
| eval _raw = "{\"policies\":[\"Test1\"]}"
```previous generate example event```
| spath
| search policies{} = "Test1"

Your event is something like this in JSON format:

{"policies":[
  "Test1"
]}

Nidd · ‎02-09-2021

Thank you @isoutamo

scelikok · ‎02-09-2021

Hi @Nidd,

Can you please try below;

index=myindex host=myhost policies{}=Test1

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Nidd · ‎02-09-2021

Thank you @scelikok

Retrieve result from list

field extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life