Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk query

ash2
Explorer
‎05-15-2024 08:10 PM

Hi All, hope you are having a great day, I have a quick question. I have the data given as below, how do i extract just the first value if attribute newValue (in our Eg., its "None"), first value of newValue keeps changing so cannot be hard-coded.
```{}```

{
targetResources: [ 
     { 
       displayName: null
       groupType: null
       id: f61b1166
       modifiedProperties: [ 
         { 
           displayName: PasswordPolicies
           newValue: ["None"]                                             // extract only this value
           oldValue: ["DisablePasswordExpiration"]
         }
         { 
           displayName: Included Updated Properties
           newValue: "PasswordPolicies"
           oldValue: null
         }
         { 
           displayName: TargetId.UserType
           newValue: "Member"
           oldValue: null
         }
       ]
}

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ash2
Explorer
‎05-20-2024 05:24 PM

I found the solution. 

| eval firstNewValue = mvindex(newValue,0)



 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ash2
Explorer
‎05-20-2024 05:24 PM

I found the solution. 

| eval firstNewValue = mvindex(newValue,0)



 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2024 10:25 PM

Hi @ash2 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-16-2024 01:02 AM

I'm not sure what you mean but if you want the value of the newValue field from the first object in the modifiedProperties array, you can use spath to extract value from particular node of your json structure.

| spath targetResources[0].modifiedProperties[0].newValue[0]

(if I remember the path syntax correctly; writing from memory)

0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎05-19-2024 07:25 PM

Thanks @PickleRick , 

the query line you posted is not supported, not if it was before. Splunk is erring out saying unknown value 0

0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎05-15-2024 10:29 PM

Hi Giuseppe,

Thank you for the query, unfortunately its not working for me. 

ash2_0-1715837329255.png

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-16-2024 12:05 AM

Hi @ash2,

max_match is an option of the rex command that says to the rex to take only the first extracted value, it isn't a field to display.

please try this (adding the new field (newValue2) to the table to see the difference:

| rex max_match=1 "(?ms)newValue:\s+\[*\"(?<newValue2>[^\"]+)"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ash2
Explorer
‎05-19-2024 04:53 PM

Hi Giuseppe,

Thank you for highlighting the mistake. I corrected the variable to newValue2 but unfortunately I found no luck  with the  query.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-15-2024 10:17 PM

Hi @ash2,

please try this:

| rex max_match=1 "(?ms)newValue:\s+\[*\"(?<newValue>[^\"]+)"

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...