Cribl_pipe is json array; how to deal with that in splunk?

Question

our cribl_pipe field being a json array and they don’t know how to use splunk to mvexpand them, instruct them to use the flatten function instead in a post-processing pipeline.

I have multiple values in the cribl_pipe field for my events. How do I correctly process those in Splunk when the events are sent downstream? I’m trying to use mvexpand but it’s not working as desired.

Johan Woger · Accepted Answer

The trick is to use the flatten function on the cribl_pipe field. This will spit out each multi-value into its own separate field. See the screenshot below.

Tony R · Answer

In Splunk, how are the values showing up?cribl_pipe="value1,value2"cribl_pipe="value1 value2"

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded