cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Austin_James
Engager
Member since: ‎01-31-2023
‎02-01-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-31-2023
Activity Feed
View All

Re: Nested field (Json array) searching

by in Splunk Search
‎02-01-2023 12:04 AM
‎02-01-2023 12:04 AM
Hi @bowesmana  Thanks for the response. When adding the mvcount we are adding the criteria for the JSON array to be of length one. Which does not solve my query. I will explain my case better with the following example: Consider the following records: event event_details E1 [{"product_id":"P001","price":9.99,"payment_method":"Credit Card"},{"product_id":"P002","price":10,"payment_method":"Credit Card"}] E2 [{"product_id":"P001","price":9.99,"payment_method":"Credit Card"},{"product_id":"P002","price":10,"payment_method":"Paypal"}] E3 [{"product_id":"P002","price":19.99,"payment_method":"Paypal"}] E4 [{"product_id":"P001","price":9.99,"payment_method":"Paypal"},{"product_id":"P002","price":10,"payment_method":"Paypal"}]   source="sample_Logs.csv" host="si-i-01ab4b9a34d1f49ec.prd-p-gfp5t.splunkcloud.com" sourcetype="csv" | tojson auto(*) | spath "event_details{}.payment_method" | where 'event_details{}.payment_method'="Paypal" When using the above query I got 3 (E2, E3, E4) events in the response as shown in the below image.   I need to filter the events where all the purchases are done only by Paypal. So I am expecting the events E3 and E4 alone. Neglecting the event E2 since one of the purchases has been made by Credit Card. ... View more

How to form query for nested field (Json array) se...

by in Splunk Search
‎01-31-2023 10:48 PM
‎01-31-2023 10:48 PM
Hi  I have a field(event_details) that contains a JSON array. Record 1: {"event_details":[{"product_id":"P002","price":19.99,"payment_method":"Paypal"}]} Record 2: {"event_details":[{"product_id":"P001","price":9.99,"payment_method":"Credit Card"},{"product_id":"P002","price":10,"payment_method":"Credit Card"}]} Query: source="sample_Logs.csv" host="si-i-01ab4b9a34d1f49ec.prd-p-gfp5t.splunkcloud.com" sourcetype="csv" | tojson auto(*) | spath "event_details{}.product_id" | search "event_details{}.product_id"=P002 When using the above query I got both records in the response. But I need only those records with product_id = "P002" only and not with any other product_id in the JSON array. In this case record 1 contains only product_id as P002. I need only that record in the response. How to form the query for it?   I really appreciate any help you can provide. Update: Have explained my query properly in the below comment.  https://community.splunk.com/t5/Splunk-Search/Nested-field-Json-array-searching/m-p/629097/highlight/true#M218519  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-01-2023 12:25 AM
Karma given to
View All