I im newbie in splunk. I have this json:
"request": {
"headers": [
{
"name": "x-real-ip",
"value": "10.31.68.186"
},
{
"name": "x-forwarded-for",
"value": "10.31.68.186"
},
{
"name": "x-nginx-proxy",
"value": "true"
}
I need to pick a value when the property name has "x-real-ip" value.
There are a couple ways to do this - here's the one I use most often (presuming you also want the value along side the name):
index=ndx sourcetype=srctp request.headers{}.name="x-real-ip"
| eval combined=mvzip(request.headers{}.name,request.headers{}.value,"|")
| mvexpand combined
| search combined="x-real-ip*"
This skips all events that don't have "x-real-ip" somewhere in the request.headers{}.name multivalue field
Next, it combines the two multivalue fields (name & value) into a single mv field, separated by the | character
Then expand the resultset so you're looking at one line at a time
Finally, you look for only results that have the value "x-real-ip" in them
If you'd like to then extract the value from the combined field, add the following line:
| rex field-combined "\|(?<x_real_ip>.+)"
And, of course, you can do whatever other SPL operations on your data you wish
I tried @Warren's answer but I got the following error:
Error in 'eval' command: The expression is malformed. Expected ).
You need to add a rename because the {} charcters in mvzip causes problems.
This is the query that works:
index=ndx sourcetype=srctp request.headers{}.name="x-real-ip"
| rename request.headers{}.name AS headerName, request.headers{}.value AS headerValue
| eval reviewers=mvzip(headerName,headerValue ,"|")
| mvexpand reviewers
| search reviewers="x-real-ip*"
your search
| rex max_match=0 "name\":\s\"(?<fieldname>[^\"]+)"
| rex max_match=0 "value\":\s\"(?<fieldvalue>[^\"]+)"
| eval tmp=mvzip(fieldname,fieldvalue,"=")
| rename tmp as _raw
| kv
| fields - _* field*
When you ask a question, please present the correct information. You've run out of logs in the process.
