splunksplunk-query
Splunk: Entry looks like an array but can't be accessed as one
I've got a portion of a log entry which looks like an array, but I can only access it with the {} notation.
For example, I think the path is line.ul-log-data.meta.data[0].foo, but the only way I can access the value is line.ul-log-data.meta.data{}.foo.
I've been experimenting with various multivalue field evaluations but coming up short. For example, when I do an mvcount("line.ul-log-data.meta.data"), it returns 1.
What do I have to do to use the array notation [0] and get that count to return 2?
Solution
Splunk uses curly brackets to access JSON arrays because square brackets have a very different, historical function.
Have you tried mvcount("line.ul-log-data.meta.data{}")?
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?