How do I find events that have a specific value in...

cpomerantzuniso · ‎10-04-2018

I have a JSON object that includes a field that is an array of strings. So something like this:

{
  "tags": [
    "value1",
    "value2"
  ]
}

I want to find all of the events that contain a specific value like "value2". I tried using mvfind but that didn't seem to work, something like this:

index="logs" | where isnotnull(mvfind(tags, "value2"))

Can someone tell me how I can do this?

Thanks!

harsmarvania57 · ‎10-05-2018

Hi @cpomerantzunison,

Please try below query (Here I am assuming that JSON data is already parsed and you have field called tags{})

index="logs" 
| rename tags{} AS tagvalue
| where (tagvalue LIKE "value2")

Below is run anywhere search which you can run on any splunk instance and check the output.

| makeresults
| eval field1="{
  \"tags\": [
    \"value1\",
    \"value2\"
  ]
}"
| append [ makeresults
| eval field1="{
  \"tags\": [
    \"value1\",
    \"value3\"
  ]
}" ]
| spath input=field1
| rename tags{} AS test_tag
| where (test_tag LIKE "value2")

How do I find events that have a specific value in an array of JSON strings?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life