Hello,
I have the next json in splunk:
{
_data : {
services : [
{
id : "FB00000",
users : [
100,
122
]
},
{
id : "FB11111",
users : [
404,
797
]
}
],
socialNetwork : "FB"
},
_timestamp : "01-02-02013T01:00:04.582+0100",
_type : "ServiceReport"
}
I would like to know the query to generate a table with the following format:
ID USER
FB00000 100
FB00000 122
FB11111 404
FB11111 797
I tried with:
sourcetype="singleline_json" AND _type="ServiceReport"
| rename _data.services{}.users{} as USER
| rename _data.services{}.id as ID
| fields ID, USER
| mvexpand USER
| eval x=split(USER,",")
| eval USER = mvindex(x,0)
| table ID, USER
But it does not work.
Thanks in advance!
... View more