×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bill
Engager
Member since: ‎09-29-2023
‎05-15-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎09-29-2023
Activity Feed
Topics I've Started
View All

Re: Extracting Value from and Event

by in Splunk Search
‎05-09-2025 11:47 AM
‎05-09-2025 11:47 AM
Thank you @livehybrid @yuanliu and @bowesmana! This is my first real post here, so I appreciate you bearing with me as I may not have provided a complete picture. @yuanliu 's answer provided a clear example of how I can use mvfind and mvindex to extract the correct data. The only thing I had to add was a \b word boundary to the mvfind regex, so it wouldn't hit the earlier partial match. Here is the query: index=okta "debugContext.debugData.privilegeGranted"="*" | eval type_index = mvfind('target{}.type', "CUSTOM_ROLE\b") | eval "Target Name" = mvindex('target{}.displayName', type_index) | eval "Target ID" = mvindex('target{}.alternateId', type_index) | rename actor.displayName as "Actor", description as "Action", debugContext.debugData.privilegeGranted as "Role(s)" | table Time, Actor, Action, "Target Name", "Target ID", Action, "Role(s)" ... View more

Extracting Value from and Event

by in Splunk Search
‎05-08-2025 01:56 PM
‎05-08-2025 01:56 PM
Hello, I am looking to add a particular value to an existing search of Okta data. The problem is I don't know how to extract the value which is on the same level as other values. The value I am looking for is "Workflows Administrator". The existing search is: index=okta "debugContext.debugData.privilegeGranted"="*" | rename actor.displayName as "Actor", targetUserDisplayName as "Target Name", targetUserAlternateId as "Target ID", description as "Action", debugContext.debugData.privilegeGranted as "Role(s)" | eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time, Actor, Action, "Target Name", "Target ID", Action, "Role(s)" and sample data is { [-] actor: { [+] } authenticationContext: { [+] } client: { [+] } debugContext: { [-] debugData: { [-] privilegeGranted: Application administrator (all), User administrator (all), Help Desk administrator (all) } } device: null displayMessage: Grant user privilege eventType: user.account.privilege.grant legacyEventType: core.user.admin_privilege.granted outcome: { [-] reason: null result: SUCCESS } published: 2025-05-08T19:30:54.612Z request: { [-] ipChain: [ [+] ] } securityContext: { [-] asNumber: null asOrg: null domain: null isProxy: null isp: null } severity: INFO target: [ [-] { [-] alternateId: jdoe@company.com detailEntry: null displayName: John Doe id: 00umfyv9jwzVvafI71t7 type: User } { [-] alternateId: unknown detailEntry: null displayName: Custom role binding added id: CUSTOM_ROLE_BINDING_ADDED type: CUSTOM_ROLE_BINDING_ADDED } { [-] alternateId: /api/v1/iam/roles/WORKFLOWS_ADMIN detailEntry: null displayName: Workflows Administrator id: WORKFLOWS_ADMIN type: CUSTOM_ROLE } { [-] alternateId: /api/v1/iam/resource-sets/WORKFLOWS_IAM_POLICY detailEntry: null displayName: Workflows Resource Set id: WORKFLOWS_IAM_POLICY type: RESOURCE_SET } ] transaction: { [+] } uuid: 2c42-11f0-a9fe version: 0 }  Any help is appreciated. Thank you! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-15-2025 12:48 PM
Karma given to