Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search not retuning all values from a array search

brytox
New Member
‎07-20-2020 09:50 AM

HI

Im trying to get data from an object containing an array, and my search returns some of the results but i cant see why I dont get them all. 

The data looks like this:

 

{
  "severity": "INFO",
  "name": "C758JH9",
  "items": [
    {
      "Name": "C758JH9",
      "Operating System": "Microsoft Windows 10 Enterprise",
      "ArticleID": "2920724",
      "ResourceId": "16783579",
      "LastStatusCheckTime": "20200713175056.983000+000",
      "DateCreated": "20170710214528.000000+000",
      "LocalizedDisplayName": "Update for Microsoft Office 2016 (KB2920724) 32-Bit Edition",
      "LastStatusCheckTime1": "20200713175056.983000+000",
      "LastLogonUserName": "saurpal",
      "LastLogonTimestamp": "20200703164437.000000+***",
      "Status CHnage": "20200713175056.983000+000",
      "Superseeded": "False",
      "Status": "INSTALLED"
    },
    {
      "Name": "C758JH9",
      "Operating System": "Microsoft Windows 10 Enterprise",
      "ArticleID": "2920712",
      "ResourceId": "16783579",
      "LastStatusCheckTime": "20200713175057.787000+000",
      "DateCreated": "20170710214536.000000+000",
      "LocalizedDisplayName": "Update for Microsoft Office 2016 (KB2920712) 32-Bit Edition",
      "LastStatusCheckTime1": "20200713175057.787000+000",
      "LastLogonUserName": "saurpal",
      "LastLogonTimestamp": "20200703164437.000000+***",
      "Status CHnage": "20200713175057.787000+000",
      "Superseeded": "False",
      "Status": "INSTALLED"
    },
    {
      "Name": "C758JH9",
      "Operating System": "Microsoft Windows 10 Enterprise",
      "ArticleID": "2920727",
      "ResourceId": "16783579",
      "LastStatusCheckTime": "20200713175056.407000+000",
      "DateCreated": "20170710214612.000000+000",
      "LocalizedDisplayName": "Security Update for Microsoft Office 2016 (KB2920727) 32-Bit Edition",
      "LastStatusCheckTime1": "20200713175056.407000+000",
      "LastLogonUserName": "saurpal",
      "LastLogonTimestamp": "20200703164437.000000+***",
      "Status CHnage": "20200713175056.407000+000",
      "Superseeded": "False",
      "Status": "INSTALLED"
    },
    {
      "Name": "C758JH9",
      "Operating System": "Microsoft Windows 10 Enterprise",
      "ArticleID": "3114690",
      "ResourceId": "16783579",
      "LastStatusCheckTime": "20200713175057.047000+000",
      "DateCreated": "20170710214844.000000+000",
      "LocalizedDisplayName": "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit Edition",
      "LastStatusCheckTime1": "20200713175057.047000+000",
      "LastLogonUserName": "saurpal",
      "LastLogonTimestamp": "20200703164437.000000+***",

 

 

The set is much bigger, this one set has 77 entries, im trying to get a table to show the LocalizedDisplayName and the Status, can be one of a few entires. When i run the blow search it returns me 25 records.

 

index="patching" | spath "name" | search name=LEWKPW10DSK121 
| spath
| fields - _raw _time
| rename items{}.* as * 
| eval data=mvzip(mvzip(LocalizedDisplayName,Status),ArticleID)
| fields data
| mvexpand data
| makemv data delim=","
| eval LocalizedDisplayName=mvindex(data,0)
| eval Status=mvindex(data,1)
| eval ArticleID=mvindex(data,2)
| table Status LocalizedDisplayName ArticleID

 

 

Any pointers would be great. Thanks.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

brytox
New Member
‎07-20-2020 11:30 AM

Seems I was overthinking it.

 

This gives me the data i needed

 

 

 

index="patching" | spath "name" | search name=C758JH9  | spath path=items{} output=report | mvexpand report | spath input=report | fields Status, LocalizedDisplayName, ArticleID | table Status, LocalizedDisplayName, ArticleID

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...