Skip to main content
Solved

Cribl_pipe is json array; how to deal with that in splunk?

  • March 11, 2025
  • 3 replies
  • 24 views
B

our cribl_pipe field being a json array and they don’t know how to use splunk to mvexpand them, instruct them to use the flatten function instead in a post-processing pipeline.

I have multiple values in the cribl_pipe field for my events. How do I correctly process those in Splunk when the events are sent downstream? I’m trying to use mvexpand but it’s not working as desired.

Best answer by Johan Woger

The trick is to use the flatten function on the cribl_pipe field. This will spit out each multi-value into its own separate field. See the screenshot below.

105_a611ba8f0fd74db0a3dc8c62e03598c4.jpeg

    3 replies

    T
    • Tony R
    • Employee
    • March 11, 2025

    In Splunk, how are the values showing up?

    • cribl_pipe="value1,value2"
    • cribl_pipe="value1 value2"
    J
    • Johan Woger
    • Employee
    • Answer
    • March 11, 2025

    The trick is to use the flatten function on the cribl_pipe field. This will spit out each multi-value into its own separate field. See the screenshot below.

    105_a611ba8f0fd74db0a3dc8c62e03598c4.jpeg
    B

    Thanks. That works for my purposes.

    Terms & ConditionsAccessibility statement