This is an example of the structure of my data and the query I am currently using. I have tried around 10 different solutions based on various examples from stackoverflow.com and community.splunk.co...
See more...
This is an example of the structure of my data and the query I am currently using. I have tried around 10 different solutions based on various examples from stackoverflow.com and community.splunk.com. But I have not figured out how to change this query such that eval Tag = "Tag1" can become an array eval Tags = ["Tag1", "Tag4"] and I will get entries for all tags that exist in the array. Could someone guide me in the right direction? | makeresults
| eval _raw = "{
\"Info\": {
\"Apps\": {
\"ReportingServices\": {
\"ReportTags\": [
\"Tag1\"
],
\"UserTags\": [
\"Tag2\",
\"Tag3\"
]
},
\"MessageQueue\": {
\"ReportTags\": [
\"Tag1\",
\"Tag4\"
],
\"UserTags\": [
\"Tag3\",
\"Tag4\",
\"Tag5\"
]
},
\"Frontend\": {
\"ClientTags\": [
\"Tag12\",
\"Tag47\"
]
}
}
}
}"
| eval Tag = "Tag1"
| spath
| foreach *ReportTags{}
[| eval tags=mvappend(tags, if(lower('<<FIELD>>') = lower(Tag), "<<FIELD>>", null()))]
| dedup tags
| stats values(tags)