Splunk Json array parse

On: April 18, 2023

With: 0 Comments

If your splunk data has json and it is an array with multiple key/values – use this trick here



 initial search  |  table SERVICES{}.* | eval respTable=mvzip('SERVICES{}.ServRespTime', 'SERVICES{}.ServiceShortName', "&&") | eval ResponseTime=mvindex(split(mvfilter(match(respTable,".*&&Service1Name")),"&&"),0) | table ResponseTime

Previous Post: PagerDuty-ServiceNow integration error: Cannot commit Update Set ‘pagerduty-v7.6’ because: Scope ‘x_pd_integration’ is not ‘Global’, not found in instance, but is found in app store. Install application from app store. Resolve the problem before committing.

Next Post: Python2.7 on Splunk 9

Leave a Reply