Solved: Re: How to filter values returned from an array fi...

splguy · ‎01-25-2024

I have events with an array field named "tags". The tags array has 2 fields for each array object named "name" and "type". I reference this array as tags{}.name.

The values being returned for one event are:
name, type
Dept_Finance, Custom
Asset_Workstation, Custom

My goal is to count the events by tags starting with "Dept_".

(index="index_name") | dedup id | stats count by tags{}.name

This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_". The Asset_Workstation tag is attached to this event however I don't want it to output in the query. How can I pull records with multiple tags but exclude all tags not beginning with "Dept_" from the output?

I know this is an easy thing to do but I'm still learning SPL. Thanks for your help.

splguy · ‎01-25-2024

Thanks for your reply. It returns multiple results because there's more than one tag in the array per event. "stats count by tags{}.name" returns 1 count for each tag.

   os_system_name: Microsoft Windows
   os_type: Workstation
   os_vendor: Microsoft
   os_version: 22H2
   risk_score: 747.0674438476562
   severe_vulnerabilities: 1
   tags: [ [-]
     { [-]
       name: Asset_Workstation
       type: CUSTOM
     }
     { [-]
       name: Dept_Finance
       type: SITE
     }
   ]
   total_vulnerabilities: 1

Results:

tags{}.name	count
Asset_Workstation	1
Dept_Finance	1

I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck. I just stumbled on my answer but I appreciate your time looking at this. I knew it had to be a simple query but I wasn't initially able to put it together. Feel free to offer a better more efficient way to get the below results.

(index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")

Results:

dept	count
Dept_Finance	1

View solution in original post

splguy · ‎01-25-2024

Thanks for your reply. It returns multiple results because there's more than one tag in the array per event. "stats count by tags{}.name" returns 1 count for each tag.

   os_system_name: Microsoft Windows
   os_type: Workstation
   os_vendor: Microsoft
   os_version: 22H2
   risk_score: 747.0674438476562
   severe_vulnerabilities: 1
   tags: [ [-]
     { [-]
       name: Asset_Workstation
       type: CUSTOM
     }
     { [-]
       name: Dept_Finance
       type: SITE
     }
   ]
   total_vulnerabilities: 1

Results:

tags{}.name	count
Asset_Workstation	1
Dept_Finance	1

I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck. I just stumbled on my answer but I appreciate your time looking at this. I knew it had to be a simple query but I wasn't initially able to put it together. Feel free to offer a better more efficient way to get the below results.

(index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")

Results:

dept	count
Dept_Finance	1

yuanliu · ‎01-25-2024

This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_".

I don't understand this statement. Other than groupby field tags{}.name itself, | stats count by tags{}.name only gives one single output, that is count. How does it "include other tags", Dept_ or not?

You can help us by illustrating the results you want, and the results the search actually gives you. (Anonymize as needed.) Explain why the result is not what you expected.

How to filter values returned from an array field?

count

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!