Splunk Search

Why do results from extraction of multivalued fields contain fields missing in each statements?

wvalente2
Engager

Hi all,

I need your help with a query to extract the values of fields with multiple values.

The problem I'm facing is that not every JSON structure has the two values that I need to extract (Name and Value).

Below is an example of the log:

"OperationProperties": [{
"Name": "Actions",
"Value": "XX"
}, {
"Name": "Conditions",
"Value": "XX"
}, {
"Name": "Provider",
"Value": "XX"
}, {
"Name": "RemoveOutlookRuleBlob"
}, {
"Name": "Name",
"Value": "XX"
}, {
"Name": "IsNew"
}, {
"Name": "IsDirty",
"Value": "XX"
}, {
"Name": "RuleOperation",
"Value": "XX"
}, {
"Name": "ServerRule",
"Value": "XX"
}],

The fields 'Name: IsNew' and 'Name:RemoveOutlookRuleBlob' do not have the corresponding 'Value:' field.

I tried the following search, but I noticed that when the 'Value' field doesn't exist, it aggregates with the next available 'Value' field.

base search....
| spath path=OperationProperties{}.Name output=Name
| spath path=OperationProperties{}.Value output=Value
| eval temp=mvzip(Name, Value)
| table Name Value, temp

temp
Actions,ForwardToRecipientsAction
Conditions,SentToRecipientsCondition,FromRecipientsCondition
Provider,RuleOrganizer
RemoveOutlookRuleBlob,XXX
Name,True
IsNew,Delete
IsDirty, XX


*The 'IsNew' field does not have 'True' value, as you can see in the first image.

My final search will looks like this after I correct the Name=Value.

base search...
| spath path=OperationProperties{}.Name output=Name
| spath path=OperationProperties{}.Value output=Value
| eval temp=mvzip(Name, Value)
| mvexpand temp
| eval Name=mvindex(split(temp,","),0), Value=mvindex(split(temp,","),1), Value=mvindex(split(temp,","),2)
| eval {Name}=Value
| stats values(*) as * by _time Id

Can I have any solutions here?

Thank you.

Labels (1)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
base search...
| spath OperationProperties{} output=OperationProperties
| mvexpand OperationProperties
| spath input=OperationProperties
| fields - OperationProperties
| fillnull value="true" Value
| rename Name as _Name Value as _Value
| eval {_Name}=_Value
| stats values(*) as * by _time Id

Use a fillnull value with something you can either always use as a default or something you can always recognised as having been introduced by fillnull so it can be removed/changed later.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
base search...
| spath OperationProperties{} output=OperationProperties
| mvexpand OperationProperties
| spath input=OperationProperties
| fields - OperationProperties
| fillnull value="true" Value
| rename Name as _Name Value as _Value
| eval {_Name}=_Value
| stats values(*) as * by _time Id

Use a fillnull value with something you can either always use as a default or something you can always recognised as having been introduced by fillnull so it can be removed/changed later.

0 Karma

wvalente2
Engager

@ITWhisperer 

This works like a charm. Thank you so much.

Just one more question.

When I ran the query you proposed, the 'ServerRule' field presents the values in JSON format. (This format is shown in the raw log).

I tried to parse the values with 'spath' but no success at all.

Is there a way to parse this field as well without affecting the results that we achieve?
ServerRule

{"ID": XX,"IDx":"XX","ExecutionSequence":XX,"Level":XX,"StateFlags":XX,"UserFlags":XX,"Condition":{"Restrictions":[{"Values":[{"PropTag":{},"PropType":XX,"Value":XX,"RawValue":XX},{"PropTag":{},"PropType":XX,"Value":"XX"},{"PropTag":{},"PropType":31,"Value":"XX","RawValue":"XX

Thank you for your help.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand what you are asking

Would this work?

| spath input=ServerRule

If not, why not?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...