{
"Version" : 2
Diagnostic: [
{ Name: "Brian", School :"KVG" },
{ Name: "Steve", School :"MKG" },
{ Name: "Gerry" },
{LastName: "Todd", School :"HVD" }
]
How can I get these fields extracted so that it looks like this:
Name Last Name School
Brian - KVG
Steve - MKG
Gerry - -
- Obama HVD
Thanks !
Similar to this: https://answers.splunk.com/answers/424422/referring-to-array-elements-by-index.html#answer-424424
| stats count | fields - count
| eval _raw = " {
\"Version\" : 2
Diagnostic: [
{ Name: \"Brian\", School :\"KVG\" },
{ Name: \"Steve\", School :\"MKG\" },
{ Name: \"Gerry\" },
{ LastName: \"Todd\", School :\"HVD\" }
]
}
"
| rex field=_raw max_match=0 "(?mi)\{\s*(?<keyvalue>.+)\s*\}\,?\n"
| mvexpand keyvalue
| streamstats count as N
| eval keyvalue = split(keyvalue, ",")
| mvexpand keyvalue
| rex field=keyvalue max_match=0 "(?msi)(?<key>\w+)[\s:\"]+(?<value>[^\"]+)"
| eval {key} = value
| fields - keyvalue, key, value
| stats first(*) as * by N, _raw
| fillnull value="-"
| table Name, LastName, School
Output:
Thank you !
Similar to this: https://answers.splunk.com/answers/424422/referring-to-array-elements-by-index.html#answer-424424
| stats count | fields - count
| eval _raw = " {
\"Version\" : 2
Diagnostic: [
{ Name: \"Brian\", School :\"KVG\" },
{ Name: \"Steve\", School :\"MKG\" },
{ Name: \"Gerry\" },
{ LastName: \"Todd\", School :\"HVD\" }
]
}
"
| rex field=_raw max_match=0 "(?mi)\{\s*(?<keyvalue>.+)\s*\}\,?\n"
| mvexpand keyvalue
| streamstats count as N
| eval keyvalue = split(keyvalue, ",")
| mvexpand keyvalue
| rex field=keyvalue max_match=0 "(?msi)(?<key>\w+)[\s:\"]+(?<value>[^\"]+)"
| eval {key} = value
| fields - keyvalue, key, value
| stats first(*) as * by N, _raw
| fillnull value="-"
| table Name, LastName, School
Output: