I have a periodic event with a JSON array that holds some values for different items. I would like to chart one of these values (per component) vs time
E.g.
One event would looks something like:
[
{
"name": "ABC",
"data": {
"a": 1,
"b": 5
}
},
{
"name": "XYZ",
"data": {
"a": 2,
"b": 7
}
}
]
The values for a and b change in consequent events, but the structure stays the same.
I would like to chart the values of 'a' for different components. A final output would look like this:
I used 'spath' to parse the JSON array, and I was able to pull the 'name' values and 'a' values, but there were two problems. I could not correlate which value corresponded to which 'name', and when I made a table of the parsed values I got all the 'name' values and all 'a' values in one row corresponding to the event. I might be taking the wrong approach here, but this is what I have:
| ...
| spath input=myField
| rename {}.name AS name, {}.data.a AS a
| table name, a
Could you please help me create the search string to make the chart described above?
Give this a try
| ...
| spath input=myField
| rename {}.name AS name, {}.data.a AS a | eval temp=mvzip(name,a,"#")
| mvexpand temp | rex field=temp "(?<name>[^#]+)#(?<a>.+)" | fields - temp
| table name, a
Give this a try
| ...
| spath input=myField
| rename {}.name AS name, {}.data.a AS a | eval temp=mvzip(name,a,"#")
| mvexpand temp | rex field=temp "(?<name>[^#]+)#(?<a>.+)" | fields - temp
| table name, a
Thanks, this works perfectly 🙂