Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About mrsampson
mrsampson
Explorer
Member since:
11-19-2024
01-16-2025
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 11-19-2024 |
Activity Feed
- Karma Re: how to search in array inside a foreach loop for ITWhisperer. 01-16-2025 10:04 AM
- Posted Re: how to search in array inside a foreach loop on Splunk Search. 01-15-2025 10:19 AM
- Posted Re: how to search in array inside a foreach loop on Splunk Search. 01-15-2025 05:43 AM
- Posted Re: how to search in array inside a foreach loop on Splunk Search. 01-15-2025 05:43 AM
- Posted Re: how to search in array inside a foreach loop on Splunk Search. 01-15-2025 02:24 AM
- Posted Re: how to search in array inside a foreach loop on Splunk Search. 01-15-2025 02:19 AM
- Posted how to search in array inside a foreach loop on Splunk Search. 01-14-2025 10:22 AM
- Karma Re: Check multiple arrays for value without knowing parent node(s) for ITWhisperer. 11-20-2024 08:54 AM
- Karma Re: Check multiple arrays for value without knowing parent node(s) for yuanliu. 11-20-2024 08:54 AM
- Posted Check multiple arrays for value without knowing parent node(s) on Splunk Search. 11-19-2024 07:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
01-15-2025
05:43 AM
@ITWhisperer wrote: Splunk's version of arrays is multivalue field, so if you change you input to a multivalue field, you could do something like this | eval Tag = split(lower("Tag3,Tag4"),",")
| spath
| foreach *Tags{}
[| eval field="<<FIELD>>"
| foreach <<FIELD>> mode=multivalue
[| eval tags=if(isnull(tags),if(mvfind(Tag,lower('<<ITEM>>')) >= 0, field, null()),mvappend(tags, if(mvfind(Tag,lower('<<ITEM>>')) >= 0, field, null())))]
]
| stats values(tags) Thank you for your response and the example, currently it is returnin 0 results for me. Could it have something to do with my Splunk version? I a
... View more
01-15-2025
02:24 AM
not really, the main point in here is that my input to this query, instead of a simple value would be an array. e.g. current input format:
| eval Tag = "Tag1"
desired input format:
| eval Tags = ["Tag3", "Tag4"]
... View more
01-15-2025
02:19 AM
for this | eval Tags = ["Tag3", "Tag4]
| spath
| foreach *Tags{}
[| eval tags=mvappend(tags, if(lower('<<FIELD>>') = lower(Tag), "<<FIELD>>", null()))]
| dedup tags
| stats values(tags) I would like to get Info.Apps.MessageQueue.ReportTags{}
Info.Apps.ReportingServices.ReportTags{}
Info.Apps.MessageQueue.UserTags{}
... View more
01-14-2025
10:22 AM
This is an example of the structure of my data and the query I am currently using. I have tried around 10 different solutions based on various examples from stackoverflow.com and community.splunk.com. But I have not figured out how to change this query such that eval Tag = "Tag1" can become an array eval Tags = ["Tag1", "Tag4"] and I will get entries for all tags that exist in the array. Could someone guide me in the right direction? | makeresults
| eval _raw = "{
\"Info\": {
\"Apps\": {
\"ReportingServices\": {
\"ReportTags\": [
\"Tag1\"
],
\"UserTags\": [
\"Tag2\",
\"Tag3\"
]
},
\"MessageQueue\": {
\"ReportTags\": [
\"Tag1\",
\"Tag4\"
],
\"UserTags\": [
\"Tag3\",
\"Tag4\",
\"Tag5\"
]
},
\"Frontend\": {
\"ClientTags\": [
\"Tag12\",
\"Tag47\"
]
}
}
}
}"
| eval Tag = "Tag1"
| spath
| foreach *ReportTags{}
[| eval tags=mvappend(tags, if(lower('<<FIELD>>') = lower(Tag), "<<FIELD>>", null()))]
| dedup tags
| stats values(tags)
... View more
11-19-2024
07:23 AM
The structure of JSON in my log events is roughly as follows {
"Info": {
"Apps": {
"ReportingServices": {
"ReportTags": [
"Tag1"
],
"UserTags": [
"Tag2",
"Tag3"
]
},
"MessageQueue": {
"ReportTags": [
"Tag1",
"Tag4"
],
"UserTags": [
"Tag3",
"Tag4",
"Tag5"
]
},
"Frontend": {
"ClientTags": [
"Tag12",
"Tag47"
]
}
}
}
} The number of fields in "Apps" is unknown, as are their names. Given this structure I need to check if a given tag ("Tag1", "Tag2", ...) exists in in a given array ("ReportTags", "UserTags", [..]), regardless of parent. If it does, I need the distinct names of parent field names that contain this. Example 1: The input to the query is "ReportTags" and "Tag1". I'd expect it to output both "ReportingServices" and "MessageQueue" because both of them contain a "ReportTags" array that contains "Tag1". Example 2: The input to the query is "UserTags" and "Tag5". I'd expect it to output only "MessageQueue" because only this one contains a "UserTags" array that contains this "Tag5". I have looked at various questions on this forum, tried various combinations of mvexpand and such but I have not been able to write a query that does exactly this. Any hints and/or help would be greatly appreciated.
... View more
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-16-2025
01:25 PM
|
