Hi, I'm sending AWS SSM patching logs to splunk. I'm transforming these via a Lambda and getting the following events: (snipped for brevity) {
<SNIP>
missing_count: 0
not_applicable_count: 1762
operation_end_time: 2021-05-18T16:08:27.1678125Z
operation_start_time: 2021-05-18T16:00:29.0000000Z
operation_type: Install
other_non_compliant_count: 0
owner_information:
patch_group: test-grp6-wed
patches: [
[
KB5001879
Yes
Success
]
[
KB890830
Yes
Success
]
]
} What I'm after is table selected fields like server name, start/finish times etc. and to get the patches column in the format (space or comma seperated on 2 lines with the same row as the rest of the row for that server) KB5001879, Yes, Success KB890830, Yes, Success I can extract the field using the following: index="aws" sourcetype="aws:ssmpatchinglogs" | spath patches{}{} output=patches I've tried some things with mvexpand, streamstats and mvindex (which didn't recognise the command - we're on splunk Version:8.0.1 Build:6db836e2fb9e). Cheers
... View more