We have updated our Terms of Service, Code of Conduct, and Addendum.

Cribl_pipe is json array; how to deal with that in splunk?

Options
Brandon McCombs
Brandon McCombs Posts: 150 mod
in Stream

our cribl_pipe field being a json array and they don’t know how to use splunk to mvexpand them, instruct them to use the flatten function instead in a post-processing pipeline.

I have multiple values in the cribl_pipe field for my events. How do I correctly process those in Splunk when the events are sent downstream? I’m trying to use mvexpand but it’s not working as desired.

Best Answer

  • Johan Woger
    Johan Woger Posts: 16
    edited July 2023 Answer ✓
    Options

    The trick is to use the flatten function on the cribl_pipe field. This will spit out each multi-value into its own separate field. See the screenshot below.

    54487a6210af80cb8915f42becc6cab64b1b0de7.jpeg

Answers

  • Tony Reinke - Cribl
    Tony Reinke - Cribl Posts: 134 admin
    Options

    In Splunk, how are the values showing up?

    • cribl_pipe="value1,value2"
    • cribl_pipe="value1 value2"
  • Johan Woger
    Johan Woger Posts: 16
    edited July 2023 Answer ✓
    Options

    The trick is to use the flatten function on the cribl_pipe field. This will spit out each multi-value into its own separate field. See the screenshot below.

    54487a6210af80cb8915f42becc6cab64b1b0de7.jpeg
  • Brandon McCombs
    Brandon McCombs Posts: 150 mod
    Options

    Thanks. That works for my purposes.

Categories