Hi,
I am doing some experimentation wirh regards JSON events. I have two events loaded:
{
"event":
{
"time": "2019-02-10T05:52:03",
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
}
and
{
"action":
{
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
,
"action":
{
"StatsMonitorx": {
"time": "2019-01-10T06:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 52
}
}
}
The index I am using is 'conship'
I have a search:
index=conship | spath
path=event.StatsMonitor
| rename event.time as time, event.StatsMonitor.* as *
| table time ActiveUsers
which is returning both events as results, but has duplicate data coming from the first (which is the correct data).
I would have thought:
spath path=event.StatsMonitor
would have eliminated the data altogether from the second event. Perhaps I could get a blank line, but why am I getting a duplicate from the correct event.
Thanks,
Stan
Hello @brutecat,
the bellow does the trick
| makeresults
| eval _raw="{
\"event\":
{
\"time\": \"2019-02-10T05:52:03\",
\"StatsMonitor\": {
\"time\": \"2019-02-10T05:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 26
}
},
\"action\":
{
\"StatsMonitor\": {
\"time\": \"2019-02-10T05:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 26
}
}
,
\"action\":
{
\"StatsMonitor\": {
\"time\": \"2019-01-10T06:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 52
}
}
}"
| spath
| rename event.time as time
| spath path=event
| rename event.StatsMonitor.* as *
| table time ActiveUsers
@brutecat
Can you please share sample events using precode block (101010 in text editor) ?
{
"event":
{
"time": "2019-02-10T05:52:03",
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
}
AND
{
"action":
{
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
,
"action":
{
"StatsMonitorx": {
"time": "2019-01-10T06:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 52
}
}
}
Sorry - I realise the search was also cobbled. The asterisk was dropped:
index=conship | spath
path=event.StatsMonitor
| rename event.time as time, event.StatsMonitor.* as *
| table time ActiveUsers