Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk query

ash2
Explorer
‎05-15-2024 08:10 PM

Hi All, hope you are having a great day, I have a quick question. I have the data given as below, how do i extract just the first value if attribute newValue (in our Eg., its "None"), first value of newValue keeps changing so cannot be hard-coded.
```{}```

{
targetResources: [ 
     { 
       displayName: null
       groupType: null
       id: f61b1166
       modifiedProperties: [ 
         { 
           displayName: PasswordPolicies
           newValue: ["None"]                                             // extract only this value
           oldValue: ["DisablePasswordExpiration"]
         }
         { 
           displayName: Included Updated Properties
           newValue: "PasswordPolicies"
           oldValue: null
         }
         { 
           displayName: TargetId.UserType
           newValue: "Member"
           oldValue: null
         }
       ]
}

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ash2
Explorer
‎05-20-2024 05:24 PM

I found the solution. 

| eval firstNewValue = mvindex(newValue,0)



 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ash2
Explorer
‎05-20-2024 05:24 PM

I found the solution. 

| eval firstNewValue = mvindex(newValue,0)



 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2024 10:25 PM

Hi @ash2 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-16-2024 01:02 AM

I'm not sure what you mean but if you want the value of the newValue field from the first object in the modifiedProperties array, you can use spath to extract value from particular node of your json structure.

| spath targetResources[0].modifiedProperties[0].newValue[0]

(if I remember the path syntax correctly; writing from memory)

0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎05-19-2024 07:25 PM

Thanks @PickleRick , 

the query line you posted is not supported, not if it was before. Splunk is erring out saying unknown value 0

0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎05-15-2024 10:29 PM

Hi Giuseppe,

Thank you for the query, unfortunately its not working for me. 

ash2_0-1715837329255.png

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 12:05 AM

Hi @ash2,

max_match is an option of the rex command that says to the rex to take only the first extracted value, it isn't a field to display.

please try this (adding the new field (newValue2) to the table to see the difference:

| rex max_match=1 "(?ms)newValue:\s+\[*\"(?<newValue2>[^\"]+)"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎05-19-2024 04:53 PM

Hi Giuseppe,

Thank you for highlighting the mistake. I corrected the variable to newValue2 but unfortunately I found no luck  with the  query.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-15-2024 10:17 PM

Hi @ash2,

please try this:

| rex max_match=1 "(?ms)newValue:\s+\[*\"(?<newValue>[^\"]+)"

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top