Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get specific value from key/value array to form table?

btsr
Explorer
‎02-06-2023 04:44 PM

Hi All,

I don't have much experience with Splunk. My JSON payload looks like as shown below. The msg.details array can have any number key/value pairs in any order.

 

 

{
  "appName": "TestApp",
  "eventType": "Response",
  "msg": {
    "transId": "Trans1234",
    "status": "Success",
    "client": "clientXyz",
    "responseTime": 1650,
    "details": [
      {
        "keyName": "rtt",
        "keyValue": 2778
      },
      {
        "keyName": "trace",
        "keyValue": 97007839130680
      }
    ],
    "url": "/v1/test"
  }
}

 

 

 I am trying to write a query and form a table as shown below. I am interested in displaying only the keyValue of keyName:trace in the table. Any help is appreciated. Thanks.

index=* appName="TestApp" msg.url="/v1/test" | table msg.transId, msg.status, msg.details[keyName="trace"].keyValue

msg.transId msg.status msg.details[keyName="trace"].keyValue
Trans1234 Success 97007839130680
Trans7890 ERROR 29411645500355

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-06-2023 11:47 PM

Another way to do it is to extract and expand the collection

| spath
| spath msg.details{} output=details
| mvexpand details
| spath input=details
| where keyName="trace"
| table msg.transId msg.status keyValue

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-06-2023 11:47 PM

Another way to do it is to extract and expand the collection

| spath
| spath msg.details{} output=details
| mvexpand details
| spath input=details
| where keyName="trace"
| table msg.transId msg.status keyValue
Reply
Solved! Jump to solution

btsr
Explorer
‎02-07-2023 11:49 AM

This saved my day! Thank you @ITWhisperer!

Tags (1)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2023 05:19 PM

Splunk doesn't recognize square brackets as denoting a JSON array; they identify a subsearch.

We also can't reference a JSON array element by name.  Perhaps some day...

Here's a run-anywhere query showing one way to accomplish the task.

| makeresults 
| eval _raw="{
  \"appName\": \"TestApp\",
  \"eventType\": \"Response\",
  \"msg\": {
    \"transId\": \"Trans1234\",
    \"status\": \"Success\",
    \"client\": \"clientXyz\",
    \"responseTime\": 1650,
    \"details\": [
      {
        \"keyName\": \"rtt\",
        \"keyValue\": 2778
      },
      {
        \"keyName\": \"trace\",
        \"keyValue\": 97007839130680
      }
    ],
    \"url\": \"/v1/test\"
  }
}" | spath 
``` Everything above sets up test data.  Delete IRL. ```
``` Combine keyName and keyValue so we can work with them as a pair. ```
| eval foo=mvzip('msg.details{}.keyName','msg.details{}.keyValue')
``` Locate "trace" keys ```
| eval foo=mvindex(foo,mvfind(foo,"trace"))
``` Break up the keyName/keyValue pair for display ```
| eval foo=split(foo,",")
| eval keyName=mvindex(foo,0), keyValue=mvindex(foo,1)
| table msg.transId, msg.status, keyName, keyValue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...