×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
balamurugandha7
Observer
Member since: ‎02-08-2021
‎02-09-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-08-2021
View All

Re: Extract distinct values from an response array...

by in Splunk Search
‎02-08-2021 03:22 AM
‎02-08-2021 03:22 AM
When I ran this I got the same array that is assigned to "_raw".  What I was expecting as an output is, "HAS_ACOUNT", "NON_ZERO_BALANCE_ACCOUNT", "JOINT_ACCOUNT" as only these three values within the Indicators array has the partial text "ACCOUNT". Also I couldn't figure out in your query where exactly you are trying to extract the events that has the partial text "ACCOUNT". For example, if there is another event that has the "Indicators" array value as follows, then I should only get the value "HAS_ACCOUNT" for this event as this is the only value within that array that has the partial text "ACCOUNT".. "Indicators": [           "HAS_ACOUNT",           "NOT_EXPIRED", ] ... View more

Re: Extract distinct values from an response array...

by in Splunk Search
‎02-08-2021 03:04 AM
‎02-08-2021 03:04 AM
Please advise how am I suppose to dynamically pass values to "elav _raw...." as I am trying to apply this rex to all events logged for last 30 days. Thanks in advance! ... View more

Extract distinct values from an response array tha...

by in Splunk Search
‎02-08-2021 02:34 AM
‎02-08-2021 02:34 AM
I have an array that would be presented in an API response which is being logged in Splunk and the array format is like this: "Indicators": [                 "HAS_ACOUNT",                 "NON_ZERO_BALANCE_ACCOUNT",                 "JOINT_ACCOUNT",                 "NOT_EXPIRED",                 "REGISTERED"             ]   The number of values within the array will not always have same pattern. i.e. There may be responses where there may be 10 values within 'Indicators' array.   Now, I want to extract distinct values within "Indicators" array (with the value that has the text "ACCOUNT") logged in Splunk for last 30 days from that specific API response. Could someone help me how to get that?   I wrote like this, but is didn't quite capture all possible values.. index="index_name" Env=test "........./API" | rex field=_raw "\"Indicators\"\:\[(?<planInd>[^\,]*)\]" max_match=0 | where like (planInd,"%PCP%") | dedup planInd | table planInd ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-09-2021 02:43 AM