I im newbie in splunk. I have this json:
"request": {
"headers": [
{
"name": "x-real-ip",
"value": "10.31.68.186"
},
{
"name": "x-forwarded-for",
"value": "10.31.68.186"
},
{
"name": "x-nginx-proxy",
"value": "true"
}
I need to pick a value when the property name has "x-real-ip" value.
There are a couple ways to do this - here's the one I use most often (presuming you also want the value along side the name):
index=ndx sourcetype=srctp request.headers{}.name="x-real-ip"
| eval combined=mvzip(request.headers{}.name,request.headers{}.value,"|")
| mvexpand combined
| search combined="x-real-ip*"
This skips all events that don't have "x-real-ip" somewhere in the request.headers{}.name multivalue field
Next, it combines the two multivalue fields (name & value) into a single mv field, separated by the | character
Then expand the resultset so you're looking at one line at a time
Finally, you look for only results that have the value "x-real-ip" in them
If you'd like to then extract the value from the combined field, add the following line:
| rex field-combined "\|(?<x_real_ip>.+)"
And, of course, you can do whatever other SPL operations on your data you wish