I wrote below query to get the data and display in my dashboard. And I am getting results with correct data + getting additional data too.
Here is the query:
index=tap-prod sourcetype=prod jobId=e62-71c72ccb3aec diff
| rex field=_raw "\"diff\":(?.*)}+"
| spath input=message
| extract kvdelim=":" pairdelim="," message
| table fieldName path expValue actValue
Here is the data I am parsing:
{
"tapName": "tapData",
"tapUuid": "22015f427a12",
"diff": {
"actValue": "tap_actualValue",
"address": ".@gmail.com",
"diffType": "SAMPLE_DIFFERENCE",
"expValue": "tap_expectedValue",
"fieldName": "Sample",
"fullPath": "/http://www.gmail.com/file",
"path": "/send"
}
}
While executing above query I am getting below results which is incorrect:
Results
(fieldName) ( path ) (expValue) (actValue) (address)
address":.@gmail.com" expValue":"tap_expectedValue actValue":"tap_actualValue testName":"someOtherVal `Sample` `/send` `tap_expectedValue` `tap_actualValue`
Like this:
| rex "(?ms)\"diff\":(?<message>.*)}+"
As in this:
| makeresults
| eval _raw="{
\"tapName\": \"tapData\",
\"tapUuid\": \"22015f427a12\",
\"diff\": {
\"actValue\": \"tap_actualValue\",
\"address\": \".@gmail.com\",
\"diffType\": \"SAMPLE_DIFFERENCE\",
\"expValue\": \"tap_expectedValue\",
\"fieldName\": \"Sample\",
\"fullPath\": \"/http://www.gmail.com/file\",
\"path\": \"/send\"
}
}"
| rex "(?ms)\"diff\":(?<message>.*)}+"
| spath input=message
| table fieldName path expValue actValue**
Thank you for your quick reply.
I tried with above solution but getting same results.
UPDATE:
Sample:
| makeresults
| eval _raw="{
\"tapName\": \"tapData\",
\"tapUuid\": \"22015f427a12\",
\"diff\": {
\"actValue\": \"tap_actualValue\",
\"address\": \".@gmail.com\",
\"diffType\": \"SAMPLE_DIFFERENCE\",
\"expValue\": \"tap_expectedValue\",
\"fieldName\": \"Sample\",
\"fullPath\": \"/http://www.gmail.com/file\",
\"path\": \"/send\"
}
}"
| spath diff output=message
| spath input=message
| fields - _* message
Result:
actValue,address,diffType,expValue,fieldName,fullPath,path
tap_actualValue,.@gmail.com,SAMPLE_DIFFERENCE,tap_expectedValue,Sample,/http://www.gmail.com/file,/send
Recommend:
index=tap-prod sourcetype=prod jobId=e62-71c72ccb3aec diff
| spath path=diff output=message
| spath input=message
| fields - _* message
| table fieldName path expValue actValue address
Can you provide props.conf?
Thank you for your reply.
I tried using with your solution but getting same results.