Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Json extraction - single and multiple items in fields.

MrPink99
New Member
‎05-19-2021 09:49 AM

Hi,

New to splunk first time lister. Hoping for some help.

I am trying to extract nested JSON data from a Widows Event log message in splunk. This works (up to a point):

index="someindex" host="Ahost1" | spath input=Message

Its great, except one the of the Json fields is called 'JSON_ArrayUsers' containing UPNs of users. Sometimes it contains a single user, sometimes more than one user.

When more than one user Splunk calls the field this:

JSON_ArrayUsers{}

and when just a single user is listed it names the field this:

JSON_ArrayUsers

This makes searching the field difficult as its called two different things. Its there an easy way to stop the {} appearing - i already know its an array!

Thanks,

Pete

Labels (1)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...