Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you extract information from an array of key values in a column with multiple keys?

chalbersma
Engager
‎02-06-2019 11:16 AM

So I've got an event that has an array of key values like so in a column called associated : 

 associates: [
     {
       type: a
       person: person1
     },
     {
       type: b
       person: person2
     },
     {
       type: b
       person: person3
     },
     {
       type: c
       person: person3
     }...]

Now I can pull out all of the people associated with an issue doing the following:

| rename associated{}.person as all_associates

And pull out the "first" associate person like so

| eval dathuman=mvindex(all_assoicates, 0)

But, what I want to do is pull out just the associates of a particular type. So, something that get's me all the associates of type "b" only.

What's the best way to do that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 12:09 PM

Working with MV fields is always a challenge.

Try this: 

| makeresults 
| eval _raw = "{\"associates\":[{\"type\":\"a\",\"person\":\"person1\"},{\"type\":\"b\",\"person\":\"person2\"},{\"type\":\"b\",\"person\":\"person3\"},{\"type\":\"c\", \"person\": \"person3\"      }]}" 
| spath 
| rename associates{}.person as person associates{}.type as type 
| eval both=mvzip(person, type, "#####") 
| fields both 
| mvexpand both 
| makemv both delim="#####" 
| eval person=mvindex(both, 0) 
| eval type=mvindex(both, 1)
| search type = "b"
| table person

View solution in original post

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-06-2019 12:09 PM

Working with MV fields is always a challenge.

Try this: 

| makeresults 
| eval _raw = "{\"associates\":[{\"type\":\"a\",\"person\":\"person1\"},{\"type\":\"b\",\"person\":\"person2\"},{\"type\":\"b\",\"person\":\"person3\"},{\"type\":\"c\", \"person\": \"person3\"      }]}" 
| spath 
| rename associates{}.person as person associates{}.type as type 
| eval both=mvzip(person, type, "#####") 
| fields both 
| mvexpand both 
| makemv both delim="#####" 
| eval person=mvindex(both, 0) 
| eval type=mvindex(both, 1)
| search type = "b"
| table person
Reply
Solved! Jump to solution

chalbersma
Engager
‎02-07-2019 11:06 AM

We ended up solving this on the import of data instead of in the query. But this does indeed work. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...