I im newbie in splunk. I have this json:
"request": {
"headers": [
{
"name": "x-real-ip",
"value": "10.31.68.186"
},
{
"name": "x-forwarded-for",
"value": "10.31.68.186"
},
{
"name": "x-nginx-proxy",
"value": "true"
}
I need to pick a value when the property name has "x-real-ip" value.
I im newbie in splunk. I have this json:
"request": {
"headers": [
{
"name": "x-real-ip",
"value": "10.31.68.186"
},
{
"name": "x-forwarded-for",
"value": "10.31.68.186"
},
{
"name": "x-nginx-proxy",
"value": "true"
}
I need to pick a value when the property name has "x-real-ip" value.
Share Improve this question edited Dec 30, 2020 at 18:22 AbsoluteBeginner 2,2633 gold badges14 silver badges24 bronze badges asked May 6, 2020 at 21:50 Igor EulálioIgor Eulálio 1091 silver badge7 bronze badges 2- Are you using the splunk search tool, or something outside of their gui interface? – Taplar Commented May 6, 2020 at 21:54
- this question really shouldn't be downvoted – warren Commented May 12, 2020 at 14:53
3 Answers
Reset to default 4There are a couple ways to do this - here's the one I use most often (presuming you also want the value along side the name):
index=ndx sourcetype=srctp request.headers{}.name="x-real-ip"
| eval bined=mvzip(request.headers{}.name,request.headers{}.value,"|")
| mvexpand bined
| search bined="x-real-ip*"
This skips all events that don't have "x-real-ip" somewhere in the request.headers{}.name multivalue field
Next, it bines the two multivalue fields (name & value) into a single mv field, separated by the | character
Then expand the resultset so you're looking at one line at a time
Finally, you look for only results that have the value "x-real-ip" in them
If you'd like to then extract the value from the bined field, add the following line:
| rex field-bined "\|(?<x_real_ip>.+)"
And, of course, you can do whatever other SPL operations on your data you wish
I tried @Warren's answer but I got the following error:
Error in 'eval' mand: The expression is malformed. Expected ).
You need to add a rename because the {} charcters in mvzip causes problems.
This is the query that works:
index=ndx sourcetype=srctp request.headers{}.name="x-real-ip"
| rename request.headers{}.name AS headerName, request.headers{}.value AS headerValue
| eval reviewers=mvzip(headerName,headerValue ,"|")
| mvexpand reviewers
| search reviewers="x-real-ip*"
your search
| rex max_match=0 "name\":\s\"(?<fieldname>[^\"]+)"
| rex max_match=0 "value\":\s\"(?<fieldvalue>[^\"]+)"
| eval tmp=mvzip(fieldname,fieldvalue,"=")
| rename tmp as _raw
| kv
| fields - _* field*
When you ask a question, please present the correct information. You've run out of logs in the process.