Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help writing a search command to determine if a value is in a json array more than once

lyndac
Contributor
‎09-21-2015 07:26 AM

I am indexing json objects into splunk. An example of the json is: 

 {
      id: "24234563",
      systems: [ "host1", "host2", "host3", "host1"]
      otherfield: "otherfieldvalue"
    }
    {
      id: "1255434",
      systems: [ "host3", "host2", "host7", "host1"]
      otherfield: "otherfieldvalue"
    }

I need to write a search to return all events where a given value of "systems" occurs in the same event more than once. So, if the data is the two events above, my search would only return the event with id=24234563.

I can figure out if there are any duplicates in the event using the search below, but that doesn't get me what I need and I'm not sure where to go from here.

 index=foo systems{}=host1 | rename systems{} as systems |eval numsystems= mvcount(systems) | eval sysdedup=mvdedup(systems) | eval numdedup=mvcount(sysdedup) | where numdedup != numsystems
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-21-2015 08:50 AM

This should help you. mvexpand will build numerous events for each occurance of systems, which you can then build a search against to find the total counts. I've tested this on one of my systems, and the logic is sound and should return what you want.

index=foo| rename systems{} as systems | eventstats count as total_count | mvexpand systems | stats count values(total_count) as total_count by systems id | eval count  = count / (2*total_count) | where count > 1 | fields systems count id

This, for me returns this table:

systems count   id
host1       2   24234563

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-21-2015 08:50 AM

This should help you. mvexpand will build numerous events for each occurance of systems, which you can then build a search against to find the total counts. I've tested this on one of my systems, and the logic is sound and should return what you want.

index=foo| rename systems{} as systems | eventstats count as total_count | mvexpand systems | stats count values(total_count) as total_count by systems id | eval count  = count / (2*total_count) | where count > 1 | fields systems count id

This, for me returns this table:

systems count   id
host1       2   24234563
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-21-2015 07:58 AM

I don't see anything wrong with your query, So what is exactly your need? Are you looking for a specific Items?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...