I'm trying to capture occurrences when multiple criteria are true in an event where elements can exist multiple times in the message.
For example, with the below event I want to capture how often events have an element that is both id=A and width>600.
Because there are multiple walls I can easily filter when any element has an id=A or a width>600, but I cannot figure out how to filter where both criteria are met.
Example message below:
elements: [
{
id: A
width: 585
}
{
id: B
width: 605
}
]
You can either leverage the spath
command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Spath to make the data easier to work with, or look at the answer posted here: https://answers.splunk.com/answers/784418/dynamic-loop-through-a-json-array-looking-for-trig.html#an...
Essentially, you need to create a pairing between id and width, separate them into their own rows, index them out, and then run your search:
{code}
your_base_search
| eval id_zip_width=mvzip(id,width)
| mvexpand id_zip_width
| eval id_zip_width=split(id_zip_width,",")
| eval id=mvindex(id_zip_width,0)
| eval width=mvindex(id_zip_width,1)
| search id="A" and width>600
{code}
Hope this helps!
Like this:
... | eval _raw = mvzip(id, width, "=")
| kv
| where A>600
You can either leverage the spath
command https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Spath to make the data easier to work with, or look at the answer posted here: https://answers.splunk.com/answers/784418/dynamic-loop-through-a-json-array-looking-for-trig.html#an...
Essentially, you need to create a pairing between id and width, separate them into their own rows, index them out, and then run your search:
{code}
your_base_search
| eval id_zip_width=mvzip(id,width)
| mvexpand id_zip_width
| eval id_zip_width=split(id_zip_width,",")
| eval id=mvindex(id_zip_width,0)
| eval width=mvindex(id_zip_width,1)
| search id="A" and width>600
{code}
Hope this helps!
This worked! Thank you very much.
Be sure to try mine; it should scale better and is much shorter.