Hi I have json events that have an array with objects and i want to extract a property from it
Some pseudo search code
| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp
{-1} indexing does not seem to work in spath
| spath output=Results path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp
Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.
my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.
Is there a good way to do this?
,I got a json that with arrays in events.
I'd like to access a property of the last element in such array
| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp
but {-1} does not seem to work for indexing the last element
| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp
mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work
Is there a way to do this?
Hello @marcovdlinden ,
check this. It should solve you problem.
| makeresults
| eval _raw = "{\"message\":{\"results\":[1,2,3], \"otherFields\":0}"
| spath output=result message.results{}
| eval res = mvindex(result,mvcount(result)-1)
Can you provide sample JSON?