I have a series of tests that are performed at random times throughout the week. There are a total of 12 events. Each event contains a series of tests
I have a collection of 12 tests that contain nested data inside. For example:
{results:
{
did_pass: true
unique_id: 12345
test_number= 1
test_statistics: {
another_unique_id: abcde
}
}
{
did_pass: false
unique_id: 67891
test_number= 1
test_statistics: {
another_unique_id: fghijk
}
}
}
{results:
{
did_pass: false
unique_id: 111213
test_number= 2
test_statistics: {
another_unique_id: lmnop
}
}
{
did_pass: true
unique_id: 141516
test_number= 2
test_statistics: {
another_unique_id: qrstuv
}
}
}
Is there any command that would loop through all of these results? I've tried "| dedup test_number" but have gotten nowhere with it.
Try this:
| makeresults
| eval raw="{results:
{
did_pass: true
unique_id: 12345
test_number= 1
test_statistics: {
another_unique_id: abcde
}
}
{
did_pass: false
unique_id: 67891
test_number= 1
test_statistics: {
another_unique_id: fghijk
}
}
}:::{results:
{
did_pass: false
unique_id: 111213
test_number= 2
test_statistics: {
another_unique_id: lmnop
}
}
{
did_pass: true
unique_id: 141516
test_number= 2
test_statistics: {
another_unique_id: qrstuv
}
}
}"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex max_match=0 "(?ms)\s*{\s+(?<test>did_pass[^}]+})"
| mvexpand test
| rex field=test "did_pass:\s*(?<did_pass>\S+)\s+unique_id:\s+(?<unique_id>\S+)\s+test_number\s*=\s*(?<test_number>\d+)\s+test_statistics:\s+{\s*another_unique_id:\s*(?<another_unique_id>\S+)"
| dedup test_number