×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Maurice
Explorer
Member since: ‎07-09-2021
‎04-13-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎07-09-2021
Activity Feed
View All

Re: json array searching

by in Getting Data In
‎07-16-2021 04:00 AM
‎07-16-2021 04:00 AM
Thanks KV, That looks like much more maintainable code. 😀  One last think, I wanted to create a timechart also off the data but it fails once i use a real index instead of make results. I am presuming it has something to do with _time not being in the result set: index=myIndex source=mySource  spath path=sp_v{} output=data | stats count by data | rename data as _raw | extract | timechart span=1d count(bu)  useother=f usenull=f   Any ideas? Kind Regards, Maurice ... View more

Re: json array searching

by in Getting Data In
‎07-15-2021 08:36 AM
‎07-15-2021 08:36 AM
Thanks KV,  That works great.  My only issue is that in my dashboard I am building up this query using inputs (for most properties on the array). So there could be up to 7 or 8 properties to search on. I notice from the docs that mvzip only works with 2 properties by default. so I tried with 3 which worked(see below): |makeresults |eval _raw ="{ \"sp_v\":[ {\"bu\":\"blob\",\"disp\":\"enforce\", \"an\":\"test\"}, {\"bu\":\"inline\",\"disp\":\"report\", \"an\":\"another\"} ] }" | spath | rename sp_v{}.* as * | eval t = mvzip(mvzip(bu,disp), an) | mvexpand t | eval bu=mvindex(split(t,","),0),disp=mvindex(split(t,","),1), an=mvindex(split(t,","),2) | where bu="blob" AND disp="enforce" AND an="test"   I'd imagine the code would become hard to read as I have to nest mvzip inside itself and also change the index Do you know of a more readable way it accomplish this with  more properties? Kind regards, Maurice ... View more

json array searching

by in Getting Data In
‎07-15-2021 06:59 AM
‎07-15-2021 06:59 AM
Hi,  I am trying to return results if an item in the array has both values set to specific values. ie bu = "blob" and disp="enforce" on the one array item However,  my search seems to happen across items.   |makeresults |eval _raw ="{ \"sp_v\":[ {\"bu\":\"blob\",\"disp\":\"enforce\"}, {\"bu\":\"inline\",\"disp\":\"report\"} ] }" | spath | search sp_v{}.bu=blob AND sp_v{}.disp=report This is returning result as the first item has 'blob' and the second has 'report'. I would not expect any results in this search Would appreciate any help, Kind Regards, Maurice ... View more
Labels

Re: Grouping by items in an array

by in Getting Data In
‎07-12-2021 12:21 AM
‎07-12-2021 12:21 AM
Thanks a million for the reply. It really helped focus me in the correct direction. I ended up having to put an explicit spath before each of my search command that referenced one of the complex object properties. similar to:     | spath books{}.name | search books{}.name | top books{}.name       ... View more

Grouping by items in an array

by in Getting Data In
‎07-09-2021 05:55 AM
‎07-09-2021 05:55 AM
Hi, I'm hoping someone can help me out here. I have a property(books) on each event which holds an array of objects. I would like to group by books{}.name with count on y axis and create a bar chart. I tried using top books{}.name but this does not seem to give the correct results, seems to miss out on some groups all together   { books:[         {name: "book1"}, {name: "book2"}, {name: "book3"}, {name: "book3"}, {name: "book1"}, {name: "book1"},       ] } Would you have an idea of how to fix this, Kind Regards, Maurice ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-13-2022 10:18 AM
Karma given to