Hello friendly Splunk community,
May I ask your assistance in dealing with a multivalue field that sometimes contains one item and sometimes does not contain that item.
For example - the JSON data looks like this:
VerificationItems: [
{
Description: Description1
}
{
Description: Description2
}
{
Description: Description3
ErrorMessage: ErrorMessage3
}
]
Notice that the "ErrorMessage" field does not appear in every item.
What I would LIKE the output to look like is:
Description ErrorMessage
----------------------------
Description1
Description2
Description3 ErrorMessage3
The problem is that the "ErrorMessage" field doesn't exist in every subitem of VerificationItems.
I've attempted to use mvzip to combine all Descriptions into a single multivalue field, and do the same with all ErrorMessages, then recombine them using mvindex, as shown in the query below. This works well if the "ErrorMessage" field exists in every subitem. However, in my case it only appears when it has a value.
This is the query that almost works, but it mis-aligns the values:
spath VerificationItems{}.Description | rename VerificationItems{}.Description AS D
| spath VerificationItems{}.ErrorMessage | rename VerificationItems{}.ErrorMessage as E
| eval x=mvzip(D, E, ";;") | mvexpand x
| eval x=split(x,";;")
| eval Descr=mvindex(x,0)
| eval ErrorMessage=mvindex(x,1)
| table _time, Descr, ErrorMessage
The current (and incorrect) end result is:
Description ErrorMessage
----------------------------
Description1 ErrorMessage3 <-- ErrorMessage3 shows up incorrectly on the first line
Description2
Description3
...which you can see incorrectly aligns ErrorMessage3 with Description1.
I've tried using regex with max_match=0 on the 'VerificationItems' multivalue field without success. (I get zero results). I also attempted a FillNull solution, which also doesn't work as I expected it to.
Does the community have any suggestions on how to tweak this search to work correctly in the absence of that ErrorMessage field on every item?
Thank you in advance for your consideration of assistance.
... View more