Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search not retuning all values from a array search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search not retuning all values from a array search
brytox
New Member
07-20-2020
09:50 AM
HI
Im trying to get data from an object containing an array, and my search returns some of the results but i cant see why I dont get them all.
The data looks like this:
{
"severity": "INFO",
"name": "C758JH9",
"items": [
{
"Name": "C758JH9",
"Operating System": "Microsoft Windows 10 Enterprise",
"ArticleID": "2920724",
"ResourceId": "16783579",
"LastStatusCheckTime": "20200713175056.983000+000",
"DateCreated": "20170710214528.000000+000",
"LocalizedDisplayName": "Update for Microsoft Office 2016 (KB2920724) 32-Bit Edition",
"LastStatusCheckTime1": "20200713175056.983000+000",
"LastLogonUserName": "saurpal",
"LastLogonTimestamp": "20200703164437.000000+***",
"Status CHnage": "20200713175056.983000+000",
"Superseeded": "False",
"Status": "INSTALLED"
},
{
"Name": "C758JH9",
"Operating System": "Microsoft Windows 10 Enterprise",
"ArticleID": "2920712",
"ResourceId": "16783579",
"LastStatusCheckTime": "20200713175057.787000+000",
"DateCreated": "20170710214536.000000+000",
"LocalizedDisplayName": "Update for Microsoft Office 2016 (KB2920712) 32-Bit Edition",
"LastStatusCheckTime1": "20200713175057.787000+000",
"LastLogonUserName": "saurpal",
"LastLogonTimestamp": "20200703164437.000000+***",
"Status CHnage": "20200713175057.787000+000",
"Superseeded": "False",
"Status": "INSTALLED"
},
{
"Name": "C758JH9",
"Operating System": "Microsoft Windows 10 Enterprise",
"ArticleID": "2920727",
"ResourceId": "16783579",
"LastStatusCheckTime": "20200713175056.407000+000",
"DateCreated": "20170710214612.000000+000",
"LocalizedDisplayName": "Security Update for Microsoft Office 2016 (KB2920727) 32-Bit Edition",
"LastStatusCheckTime1": "20200713175056.407000+000",
"LastLogonUserName": "saurpal",
"LastLogonTimestamp": "20200703164437.000000+***",
"Status CHnage": "20200713175056.407000+000",
"Superseeded": "False",
"Status": "INSTALLED"
},
{
"Name": "C758JH9",
"Operating System": "Microsoft Windows 10 Enterprise",
"ArticleID": "3114690",
"ResourceId": "16783579",
"LastStatusCheckTime": "20200713175057.047000+000",
"DateCreated": "20170710214844.000000+000",
"LocalizedDisplayName": "Security Update for Microsoft Office 2016 (KB3114690) 32-Bit Edition",
"LastStatusCheckTime1": "20200713175057.047000+000",
"LastLogonUserName": "saurpal",
"LastLogonTimestamp": "20200703164437.000000+***",
The set is much bigger, this one set has 77 entries, im trying to get a table to show the LocalizedDisplayName and the Status, can be one of a few entires. When i run the blow search it returns me 25 records.
index="patching" | spath "name" | search name=LEWKPW10DSK121
| spath
| fields - _raw _time
| rename items{}.* as *
| eval data=mvzip(mvzip(LocalizedDisplayName,Status),ArticleID)
| fields data
| mvexpand data
| makemv data delim=","
| eval LocalizedDisplayName=mvindex(data,0)
| eval Status=mvindex(data,1)
| eval ArticleID=mvindex(data,2)
| table Status LocalizedDisplayName ArticleID
Any pointers would be great. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
brytox
New Member
07-20-2020
11:30 AM
Seems I was overthinking it.
This gives me the data i needed
index="patching" | spath "name" | search name=C758JH9 | spath path=items{} output=report | mvexpand report | spath input=report | fields Status, LocalizedDisplayName, ArticleID | table Status, LocalizedDisplayName, ArticleID
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Observability Simplified: Combining User Experience, Application Performance & ...
Tech Talk
Observability Simplified: Combining User Experience, Application Performance & Network ...
Event Series May & June: From Network Visibility to Service Intelligence
Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI
In today’s hybrid ...
Global Splunk User Group Events: May + June 2026
Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide
Staying ahead in the fast-paced ...
