Splunk® Cloud Services

SPL2 Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Access expressions for arrays and objects

You access array and object values by using expressions and specific notations.

You can specify these expressions in the SELECT clause of the from command, with the eval command, or as part of evaluation expressions with other commands.

There are two notations that you can use to access values, the dot ( . ) notation and the square bracket [ ] notation. The notation you use depends on the type of value you want to access:

Type of value Notation you can use
array values square bracket
object values dot

square bracket

Keys and values are case sensitive in expressions

You must specify keys and values in expressions in the case in which the values appear in the data. For example, if you are searching for Games you cannot specify games.

Accessing values in arrays

Consider the following array of competitive board games: 

{
  "games": ["Settlers of Catan","Terraforming Mars","Ticket to Ride"]
}

To access Ticket to Ride in the array, you specify the index position using square bracket [ ] notation. Ticket to Ride is in the third position. Because the index count starts with 0, the third position is 2.

Here's an example:

...| eval competitive=games[2]


Here is another set of data that consists of a set of nested objects and an array of game names: 

{
  "games": {
    "category": {
      "boardgames": {
        "cooperative": ["Pandemic","Forbidden Island","Castle Panic"]
      }
    }
  }
}


To return Forbidden Island from the array of cooperative boardgames, you must specify the path and index position of the game in the array. Here's the expression to use in your search:

...| eval name=games.category.boardgames.cooperative[1]

  • For the path, use dots ( . ) between each key in the path.
  • For the array that lists the names of the games, use the square bracket [ ] notation.

Accessing values in objects

Consider this set of data about famous bridges in various cities: 

[{
  "cities": [
    {
      "name": "London",
      "Bridges": [
        { "name": "Tower Bridge", "length": 801 },
        { "name": "Millennium Bridge", "length": 1066 }
      ]
    },
    {
      "name": "Venice",
      "Bridges": [
        { "name": "Rialto Bridge", "length": 157 },
        { "name": "Bridge of Sighs", "length": 36 },
        { "name": "Ponte della Paglia" }
      ]
    },
    {
      "name": "San Francisco",
      "Bridges": [
        { "name": "Golden Gate Bridge", "length": 8981 },
        { "name": "Bay Bridge", "length": 23556 }
      ]
    }
  ]
}]

To access the values in objects, you can use either the dot ( . ) notation or the square bracket ( [ ] ) notation in the expressions

Using dot ( . ) notation

Using the city bridges array, here's an example of the dot ( . ) notation expression you use to access information about the Millennium Bridge:

...| eval bridge_info=cities[0].Bridges[1]

This expression specifies the first object inside the cities array, followed by the second object in the Bridges array.

This example returns {"name": "Millennium Bridge", "length": 1066}.

To return only the name of the bridge, use this expression:

...| eval bridge_info=cities[0].Bridges[1].name

This example returns Millennium Bridge.

Using square bracket ( [ ] ) notation

You can also use the square bracket ( [ ] ) notation expression to access information about the Millennium Bridge. Here's an example:

...| eval bridge_name=cities[0]["Bridges"][1]

This expression returns {"name": "Millennium Bridge", "length": 1066}.

To specify the path to the name of the bridge, use this expression:

...| eval bridge_name=cities[0]["Bridges"][1]["name"]

This example returns Millennium Bridge.

If the value you want to access is a string, you must enclose the value in double quotation marks. If the value is a field name, you don't need to use quotation marks.

Expression examples

When specifying the position index, you can use any type of expression.

For example, the following search uses the field name expression index and the numeric expression 5-4 with the the dot ( . ) notation:

...| eval index=0, bridge_name=cities[index].Bridges[5 - 4]

For types of valid expressions, see Types of expressions.

Keys that are reserved words

If a key in a key-value path is a reserved word, such as a command or function name, or a keyword, you must enclose the key in single quotation marks. See Reserved words in the SPL2 Search Reference.

Consider this set of data which uses group as the key for an array: 

{
  "boardgames": {
     "group": {
         "cooperative": [ "Pandemic", "Forbidden Island", "Castle Panic" ],
         "competitive": [ "Settlers of Catan", "Terraforming Mars", "Ticket to Ride"]
    }
  }
}

Because group is a reserved word, you must enclose it in single quotation marks when you use the key in an expression:

...| eval game_name=boardgames.'group'.competitive[2]

This eval command returns a new field called game_name with the value Ticket to Ride.

See also

Types of expressions
Array and object literals in expressions
Array data types in the SPL2 Search Reference
Object data types in the SPL2 Search Reference
Last modified on 04 August, 2022
PREVIOUS
Array and object literals in expressions 		  NEXT
String templates in expressions

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters