My event data contains the following:
target: [
{
alternateId: application1
detailEntry: {
}
displayName: OpenID Connect Client
id: asdfasdf
type: AppInstance
}
{
alternateId: unknown
detailEntry: null
displayName: Unregistered Device - Default
id: adsfasdf
type: Rule
I want to do a | stats count by target.displayname but only on events that have target.type=Rule. It is possible to have more than two entries as well so cant just say always select second entry.
A pointer: When anonymizing structured data, make sure the structure itself is compliant. I think you mean your event looks like
{"target": [ { "alternateId": "application1", "detailEntry": { }, "displayName": "OpenID Connect Client", "id": "asdfasdf", "type": "AppInstance" }, { "alternateId": "unknown", "detailEntry": "null", "displayName": "Unregistered Device - Default", "id": "adsfasdf", "type": "Rule" } ]
}
You can use mvexpand before filter or use mvfilter. Using mvexpand is more traditional:
| spath path=target{}
| mvexpand target{}
| where json_extract('target{}', "type") == "Rule"
| eval displayName = json_extract(target, "displayName")
Use of JSON functions above assumes that you use Splunk 8 or later, but the mvexpand method can still work without JSON functions; you just use another round of spath.
Using mvfilter, on the other hand, requires JSON functions first introduced in Splunk 8.
| spath path=target{}
| eval target = mvfilter(json_extract('target{}', "type") == "Rule")
| eval displayName = json_extract(target, "displayName")
Hope this helps.