Access expressions for arrays and objects
You access array and object values by using expressions and specific notations.
You can specify these expressions in the SELECT clause of the from
command, with the eval
command, or as part of evaluation expressions with other commands.
There are two notations that you can use to access values, the dot ( . ) notation and the square bracket [ ] notation. The notation you use depends on the type of value you want to access:
Type of value | Notation you can use |
---|---|
array values | square bracket |
object values | dot square bracket |
Keys and values are case sensitive in expressions
You must specify keys and values in expressions in the case in which the values appear in the data. For example, if you are searching for Games
you cannot specify games
.
Accessing values in arrays
Consider the following array of competitive board games:
{ "games": ["Settlers of Catan","Terraforming Mars","Ticket to Ride"] }
To access Ticket to Ride
in the array, you specify the index position using square bracket [ ] notation. Ticket to Ride
is in the third position. Because the index count starts with 0, the third position is 2.
Here's an example:
...| eval competitive=games[2]
Here is another set of data that consists of a set of nested objects and an array of game names:
{ "games": { "category": { "boardgames": { "cooperative": ["Pandemic","Forbidden Island","Castle Panic"] } } } }
To return Forbidden Island
from the array of cooperative boardgames, you must specify the path and index position of the game in the array. Here's the expression to use in your search:
...| eval name=games.category.boardgames.cooperative[1]
- For the path, use dots ( . ) between each key in the path.
- For the array that lists the names of the games, use the square bracket [ ] notation.
Accessing values in objects
Consider this set of data about famous bridges in various cities:
[{ "cities": [ { "name": "London", "Bridges": [ { "name": "Tower Bridge", "length": 801 }, { "name": "Millennium Bridge", "length": 1066 } ] }, { "name": "Venice", "Bridges": [ { "name": "Rialto Bridge", "length": 157 }, { "name": "Bridge of Sighs", "length": 36 }, { "name": "Ponte della Paglia" } ] }, { "name": "San Francisco", "Bridges": [ { "name": "Golden Gate Bridge", "length": 8981 }, { "name": "Bay Bridge", "length": 23556 } ] } ] }]
To access the values in objects, you can use either the dot ( . ) notation or the square bracket ( [ ] ) notation in the expressions
Using dot ( . ) notation
Using the city bridges array, here's an example of the dot ( . ) notation expression you use to access information about the Millennium Bridge
:
...| eval bridge_info=cities[0].Bridges[1]
This expression specifies the first object inside the cities
array, followed by the second object in the Bridges
array.
This example returns {"name": "Millennium Bridge", "length": 1066}
.
To return only the name of the bridge, use this expression:
...| eval bridge_info=cities[0].Bridges[1].name
This example returns Millennium Bridge
.
Using square bracket ( [ ] ) notation
You can also use the square bracket ( [ ] ) notation expression to access information about the Millennium Bridge
. Here's an example:
...| eval bridge_name=cities[0]["Bridges"][1]
This expression returns {"name": "Millennium Bridge", "length": 1066}
.
To specify the path to the name of the bridge, use this expression:
...| eval bridge_name=cities[0]["Bridges"][1]["name"]
This example returns Millennium Bridge
.
If the value you want to access is a string, you must enclose the value in double quotation marks. If the value is a field name, you don't need to use quotation marks.
Expression examples
When specifying the position index, you can use any type of expression.
For example, the following search uses the field name expression index
and the numeric expression 5-4
with the the dot ( . ) notation:
...| eval index=0, bridge_name=cities[index].Bridges[5 - 4]
For types of valid expressions, see Types of expressions.
Keys that are reserved words
If a key in a key-value path is a reserved word, such as a command or function name, or a keyword, you must enclose the key in single quotation marks. See Reserved words in the SPL2 Search Reference.
Consider this set of data which uses group
as the key for an array:
{ "boardgames": { "group": { "cooperative": [ "Pandemic", "Forbidden Island", "Castle Panic" ], "competitive": [ "Settlers of Catan", "Terraforming Mars", "Ticket to Ride"] } } }
Because group
is a reserved word, you must enclose it in single quotation marks when you use the key in an expression:
...| eval game_name=boardgames.'group'.competitive[2]
This eval
command returns a new field called game_name
with the value Ticket to Ride
.
See also
- Types of expressions
- Array and object literals in expressions
- Array data types in the SPL2 Search Reference
- Object data types in the SPL2 Search Reference
Array and object literals in expressions | String templates in expressions |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!