Hi guys,
I would like to convert the following event into a table:
{
Id: 1505207351
Start: 1505207651
Resource: res
Nodes: [
[ res1, 1 ] , [ res2, 3 ]
]
}
The output should be a table like this:
Id | Start | Nodes
1505207351 | 1505207651 | [res1,1] , [res2,3]
Or even better, display a subtable in the Nodes column:
Id | Start | Nodes
| | Res | Rank
-------------------------------------
1505207351 | 1505207651 | res1 | 1
| res2 | 3
------------------------------------
2305207351 | 2305207651 | res3 | 4
| res4 | 3
The event sourcetype is _json
My actual query to search the events is this:
index="myindex" | spath | table Id, Start, Nodes
The result is a table but the Nodes column is empty
Thanks
Give this a try
index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes | rex field=Nodes max_match=0 "(?<Nodes_Res>\S+)\s+(?<Nodes_Rank>\d+)"
| table Id, Start, Nodes_Res Nodes_Rank
Try this
index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes
Great it worked.
Is it difficult (or is it possible) to implement the subtable?
It will be difficult. Firstly, the dual level columns are not possible (SPlunk doesn't support merged columns like you see in excel), but you you would be able to do some workaround. How does the data looks in the columns Nodes after the queries? Can you post some actual sample values (mask anything that is sensitive)? Conversion of that to the subtable format (converting NOdes to multivalued field) will depend on it current format. May be run this and tell actual values on both Nodes and NodesCount column.
index="myindex" | spath | table Id, Start, Nodes* | rename Nodes{}{} as Nodes | eval NodesCount=mvcount(Nodes)
This is my current result: link text