@gokadroid I used the rex you suggested and that returned the data between {}. table option put it under one column. Here is how it looks
"key1":"value1","key2":"value2"
"key1":"value1","key2":"value2"
I want to create a table with key1, key2 as headers and value1, value2 as the actual values inside it. Here is what i did
query to return event | rex field=_raw "(?s).*(My Search String)\s*\:\s*\{(?<myJson>[^\}]+)\}" | mvexpand myJson
| eval str=split(myJson,",")
| eval col1=mvindex(str,0)
| eval col2=mvindex(str,1)
| table col1, col2
This is working but i get both key & value in column data. Is there a better way to get a cleaner table.
... View more