Splunk Search

How to access a property on the last element in an array,accessing last element in json array?

marcovdlinden
New Member

Hi I have json events that have an array with objects and i want to extract a property from it

Some pseudo search code

| spath output=LastResult  path=message.results{-1}
| table LastResult.timestamp

{-1} indexing does not seem to work in spath

| spath output=Results  path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp

Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.

my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.

Is there a good way to do this?

,I got a json that with arrays in events.
I'd like to access a property of the last element in such array

| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp

but {-1} does not seem to work for indexing the last element

| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp

mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work

Is there a way to do this?

0 Karma

poete
Builder

Hello @marcovdlinden ,

check this. It should solve you problem.

| makeresults 
| eval _raw = "{\"message\":{\"results\":[1,2,3], \"otherFields\":0}"
| spath output=result message.results{}
| eval res = mvindex(result,mvcount(result)-1)

jawaharas
Motivator

Can you provide sample JSON?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...