Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using MVZip and MVExpand on MultiValue fields where array sometimes doesnt exists

rajkumarsowmy
New Member
‎04-12-2019 09:51 AM

{
"timestamp": "2019-04-11T16:44:45.497462",
"payload": {
"KEY_CHK_DCN_NBR": "19054",
"recommendations": [
{
"modelName": "abc",
"description": "30",
"actionCode": "0261109614",
"actionValue": 0.027422948195084923
},
{
"modelName": "abc",
"description": "30",
"actionCode": "0261109614",
"actionValue": 0.027422948195084923
}
],
"respCd": "700",
}

I have a api logging this information in splunk.
I need to extract
timestamp, payload{}.KEY_CHK_DCN_NBR, payload{}.recommendations.actionCode and payload{}.recommendations.actionvalue

i tried below,

|spath output="DCN Number" path=payload.KEY_CHK_DCN_NBR
|spath output=Timestamp path=timestamp
|spath path=payload.recommendations{} output=r
|mvexpand r
|rename r as _raw
|kv
|rename actionCode ,actionValue
|table "DCN Number" actionCode actionValue Timestamp
| search "DCN Number"!=null

what happens is, in some of the request recommendation array may not be coming, still i need to capture KEY_CHK_DCN_NBR and timestamp and empty value for actioncode and actionvalue.

with my try im able to get all the non-null value.

can anyone help here?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-12-2019 10:59 AM

Give this a try

your base search | spath | table payload* timestamp | rename payload.recommendations{}.* as * payload.* as *  | fields - description modelName respCd | eval temp=coalesce(mvzip(actionCode,actionValue,"##"), "") | mvexpand temp | rex field=temp "(?<actionCode>.+)##(?<actionValue>.+)" | fields - temp

See this runanywhere search with sample data

| gentimes start=-1 | eval _raw="{
 \"timestamp\": \"2019-04-11T16:44:45.497462\",
\"payload\": {
 \"KEY_CHK_DCN_NBR\": \"19054\",
 \"recommendations\": [
 {
 \"modelName\": \"abc\",
 \"description\": \"30\",
 \"actionCode\": \"0261109614\",
 \"actionValue\": 0.027422948195084923
 },
 {
 \"modelName\": \"abc\",
 \"description\": \"30\",
 \"actionCode\": \"0261109614\",
 \"actionValue\": 0.027422948195084923
 }
 ],
 \"respCd\": \"700\",
}" | table _raw  | append [| gentimes start=-1 | eval _raw="{
 \"timestamp\": \"2019-04-11T16:44:45.497462\",
\"payload\": {
 \"KEY_CHK_DCN_NBR\": \"19054\",
 \"respCd\": \"700\",
}" | table _raw ] | spath | table payload* timestamp | rename payload.recommendations{}.* as * payload.* as *  | fields - description modelName respCd | eval temp=coalesce(mvzip(actionCode,actionValue,"##"), "") | mvexpand temp | rex field=temp "(?<actionCode>.+)##(?<actionValue>.+)" | fields - temp

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-12-2019 10:59 AM

Give this a try

your base search | spath | table payload* timestamp | rename payload.recommendations{}.* as * payload.* as *  | fields - description modelName respCd | eval temp=coalesce(mvzip(actionCode,actionValue,"##"), "") | mvexpand temp | rex field=temp "(?<actionCode>.+)##(?<actionValue>.+)" | fields - temp

See this runanywhere search with sample data

| gentimes start=-1 | eval _raw="{
 \"timestamp\": \"2019-04-11T16:44:45.497462\",
\"payload\": {
 \"KEY_CHK_DCN_NBR\": \"19054\",
 \"recommendations\": [
 {
 \"modelName\": \"abc\",
 \"description\": \"30\",
 \"actionCode\": \"0261109614\",
 \"actionValue\": 0.027422948195084923
 },
 {
 \"modelName\": \"abc\",
 \"description\": \"30\",
 \"actionCode\": \"0261109614\",
 \"actionValue\": 0.027422948195084923
 }
 ],
 \"respCd\": \"700\",
}" | table _raw  | append [| gentimes start=-1 | eval _raw="{
 \"timestamp\": \"2019-04-11T16:44:45.497462\",
\"payload\": {
 \"KEY_CHK_DCN_NBR\": \"19054\",
 \"respCd\": \"700\",
}" | table _raw ] | spath | table payload* timestamp | rename payload.recommendations{}.* as * payload.* as *  | fields - description modelName respCd | eval temp=coalesce(mvzip(actionCode,actionValue,"##"), "") | mvexpand temp | rex field=temp "(?<actionCode>.+)##(?<actionValue>.+)" | fields - temp
0 Karma
Reply
Solved! Jump to solution

rajkumarsowmy
New Member
‎04-15-2019 09:00 AM

Thank you very much @somesoni2 this resolved my issues!!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...