Hey Folks, i have a silly Q, I am using GeoIP with maxminddbs and it adds a json array like it should. When it gets into Splunk, the only way to search elements in the array requires an | spath command and cant search like a normal key=value. is it recommended to do a json extract after the GeoIP function? if not, how should I pull those fields?
Page 1 / 1
Ohh Flatten. Didnt even cross my mind on that command. Thanks a bunch!
i'd use flatten, and filter out the unwanted entries (other languages etc)
Eval to remove junk fields:
then flatten
then Rename:
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.