Splunk doesn’t have "arrays"
It has multivalue fields
To access/do anything with them, you need to use multivalue commands/functions
- multivalue eval functions – https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions
- multivalue stats functions – https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions
In your example, you’d want to do something like the following:
<search>
| eval EventType=case(mvindex(http.request.queryParameters.authIndexValue,0)==Login_FooBar,"LOGIN", mvindex(http.request.queryParameters.authIndexValue,0)==Login_BarFoo,"not a good login",1=1,"error state")
from User warren – Stack Overflow https://stackoverflow.com/questions/65892385/how-do-i-access-an-array-value-inside-a-case-in-splunk/65903207#65903207
via IFTTT