Solved: Retrieve result from list

Nidd · ‎02-08-2021

I have a field in log like:

"policies":["Test1"]

for which I am not able to search through the keyword when I have the query:

index=myindex host=myhost policies=Test1

Since policies is a list and I cant be able to directly search it.

Is there any specific way I can search for inputs available in a list?

scelikok · ‎02-09-2021

Hi @Nidd,

Can you please try below;

index=myindex host=myhost policies{}=Test1

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

isoutamo · ‎02-09-2021

Hi

based on your example you probably have an event which is JSON or partially has JSON? Then you could do e.g.

index=_internal earliest=-1m
| head 1
| eval _raw = "{\"policies\":[\"Test1\"]}"
```previous generate example event```
| spath
| search policies{} = "Test1"

Your event is something like this in JSON format:

{"policies":[
  "Test1"
]}

Nidd · ‎02-09-2021

Thank you @isoutamo

scelikok · ‎02-09-2021

Hi @Nidd,

Can you please try below;

index=myindex host=myhost policies{}=Test1

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Nidd · ‎02-09-2021

Thank you @scelikok

Retrieve result from list

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation