cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
splguy
Engager
Member since: ‎01-25-2024
‎01-25-2024
Community Statistics
Posts 2
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎01-25-2024
View All

Re: How to filter values returned from an array fi...

by in Splunk Search
‎01-25-2024 12:45 PM
‎01-25-2024 12:45 PM
Thanks for your reply.  It returns multiple results because there's more than one tag in the array per event.  "stats count by tags{}.name" returns 1 count for each tag. os_system_name: Microsoft Windows os_type: Workstation os_vendor: Microsoft os_version: 22H2 risk_score: 747.0674438476562 severe_vulnerabilities: 1 tags: [ [-] { [-] name: Asset_Workstation type: CUSTOM } { [-] name: Dept_Finance type: SITE } ] total_vulnerabilities: 1  Results: tags{}.name count Asset_Workstation 1 Dept_Finance 1   I wasn't able to run eval or where operations on the tags{}.name without getting an error so I was stuck.  I just stumbled on my answer but I appreciate your time looking at this.  I knew it had to be a simple query but I wasn't initially able to put it together.  Feel free to offer a better more efficient way to get the below results. (index="index_name") | dedup id | stats count by tags{}.name | rename tags{}.name AS dept | where (dept like "Dept_%")  Results: dept count Dept_Finance 1 ... View more

How to filter values returned from an array field?

by in Splunk Search
‎01-25-2024 11:12 AM
‎01-25-2024 11:12 AM
I have events with an array field named "tags".  The tags array has 2 fields for each array object named "name" and "type".  I reference this array as tags{}.name.  The values being returned for one event are: name, type Dept_Finance, Custom Asset_Workstation, Custom My goal is to count the events by tags starting with "Dept_".     (index="index_name") | dedup id | stats count by tags{}.name      This returns the correct count of tags for "Dept_" but it's also including all other tags that do not begin with "Dept_".  The Asset_Workstation tag is attached to this event however I don't want it to output in the query.  How can I pull records with multiple tags but exclude all tags not beginning with "Dept_" from the output? I know this is an easy thing to do but I'm still learning SPL.  Thanks for your help. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-25-2024 06:34 PM