I have a JSON object that includes a field that is an array of strings. So something like this:
{
"tags": [
"value1",
"value2"
]
}
I want to find all of the events that contain a specific value like "value2". I tried using mvfind but that didn't seem to work, something like this:
index="logs" | where isnotnull(mvfind(tags, "value2"))
Can someone tell me how I can do this?
Thanks!
Hi @cpomerantzunison,
Please try below query (Here I am assuming that JSON data is already parsed and you have field called tags{}
)
index="logs"
| rename tags{} AS tagvalue
| where (tagvalue LIKE "value2")
Below is run anywhere search which you can run on any splunk instance and check the output.
| makeresults
| eval field1="{
\"tags\": [
\"value1\",
\"value2\"
]
}"
| append [ makeresults
| eval field1="{
\"tags\": [
\"value1\",
\"value3\"
]
}" ]
| spath input=field1
| rename tags{} AS test_tag
| where (test_tag LIKE "value2")