How do I find events that have a specific value in...

cpomerantzuniso · ‎10-04-2018

I have a JSON object that includes a field that is an array of strings. So something like this:

{
  "tags": [
    "value1",
    "value2"
  ]
}

I want to find all of the events that contain a specific value like "value2". I tried using mvfind but that didn't seem to work, something like this:

index="logs" | where isnotnull(mvfind(tags, "value2"))

Can someone tell me how I can do this?

Thanks!

harsmarvania57 · ‎10-05-2018

Hi @cpomerantzunison,

Please try below query (Here I am assuming that JSON data is already parsed and you have field called tags{})

index="logs" 
| rename tags{} AS tagvalue
| where (tagvalue LIKE "value2")

Below is run anywhere search which you can run on any splunk instance and check the output.

| makeresults
| eval field1="{
  \"tags\": [
    \"value1\",
    \"value2\"
  ]
}"
| append [ makeresults
| eval field1="{
  \"tags\": [
    \"value1\",
    \"value3\"
  ]
}" ]
| spath input=field1
| rename tags{} AS test_tag
| where (test_tag LIKE "value2")

How do I find events that have a specific value in an array of JSON strings?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!