×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mrsampson
Explorer
Member since: ‎11-19-2024
‎01-16-2025
Community Statistics
Posts 7
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎11-19-2024
Activity Feed
View All

Re: how to search in array inside a foreach loop

by SplunkTrust in Splunk Search
‎01-15-2025 08:41 PM
1 Karma
‎01-15-2025 08:41 PM
1 Karma
I see you want to determine full paths of the value input list.  You have a second requirement that the input be a JSON array,  ["Tag3", "Tag4"], and a third that the code needs to run in 8.0, which precludes JSON functions introduced in 8.1.  Note each of the path{} array has multiple values.  Without help of JSON functions, you need to handle that first. The most common way to do this is with mvexpand. (The input array also needs this.) | makeresults | eval _raw = "{ \"Info\": { \"Apps\": { \"ReportingServices\": { \"ReportTags\": [ \"Tag1\" ], \"UserTags\": [ \"Tag2\", \"Tag3\" ] }, \"MessageQueue\": { \"ReportTags\": [ \"Tag1\", \"Tag4\" ], \"UserTags\": [ \"Tag3\", \"Tag4\", \"Tag5\" ] }, \"Frontend\": { \"ClientTags\": [ \"Tag12\", \"Tag47\" ] } } } }" | spath ``` data emulation above ``` | eval Tags = "[\"Tag3\", \"Tag4\"]" | foreach *Tags{} [mvexpand <<FIELD>>] | spath input=Tags | mvexpand {} | foreach *Tags{} [eval tags=mvappend(tags, if(lower('<<FIELD>>') = lower('{}'), "<<FIELD>>", null()))] | dedup tags | stats values(tags) If your dataset is large, mvexpand has some limitations. ... View more

Re: Check multiple arrays for value without knowin...

by SplunkTrust in Splunk Search
‎11-19-2024 10:29 PM
1 Karma
‎11-19-2024 10:29 PM
1 Karma
Small improvements. The wildcard should apply to <anything>Tags{}. mvfind uses regex.  If you need string match, there is too much work to convert an arbitrary string into regex.  But Splunk's equality operator applies in multivalue context. So, using foreach suggested by @ITWhisperer, you can do   | foreach *Tags{} [| eval fields=mvappend(fields, if('<<FIELD>>' == "Tag4", "<<FIELD>>", null()))]   Your sample data will give fields Info.Apps.MessageQueue.ReportTags{} Info.Apps.MessageQueue.UserTags{} Since 8.2, Splunk introduced a set of JSON functions.  You can actually use a more formal, semantic approach, although the algorithm is messier because iteration capabilities are limited in SPL. (It is also limited as SPL doesn't support recursion.) Here is an illustration.   | eval key = json_array_to_mv(json_keys(_raw)) | mvexpand key | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | mvexpand key1 | eval key = if(isnull(key1), key, key . "." . key1) | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | mvexpand key1 | eval key = if(isnull(key1), key, key . "." . key1) | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | mvexpand key1 | eval key = if(isnull(key1), key, key . "." . key1) | eval key1 = json_array_to_mv(json_keys(json_extract(_raw, key))) | eval key = if(isnull(key1), key, key . "." . key1) | eval value = json_array_to_mv(json_extract(_raw, key)) | where value == "Tag4"   The above code assumes a path depth of 5 even though your data only has depth of 4.  The result is key value Info.Apps.MessageQueue.ReportTags Tag1 Tag4 Info.Apps.MessageQueue.UserTags Tag3 Tag4 Tag5 Here is an emulation you can play with and compare with real data   | makeresults | eval _raw = "{ \"Info\": { \"Apps\": { \"ReportingServices\": { \"ReportTags\": [ \"Tag1\" ], \"UserTags\": [ \"Tag2\", \"Tag3\" ] }, \"MessageQueue\": { \"ReportTags\": [ \"Tag1\", \"Tag4\" ], \"UserTags\": [ \"Tag3\", \"Tag4\", \"Tag5\" ] }, \"Frontend\": { \"ClientTags\": [ \"Tag12\", \"Tag47\" ] } } } }" | fields - _time | spath ``` data emulation above ```   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-16-2025 01:25 PM
Karma given to
View All