I have a field that looks something like this in the event viewer:
project_sources: [
{
scmEvent: {
message: message1
sha: xxxxxx
......
}
{
scmEvent: {
message: message2
sha: yyyyyyy
......
}
]
My end goal is to extract scmEvent.sha for the first element in the sources array as efficiently as possible. Can I do that somehow with tstats ?
These two queries give me the same results:
1. index=myIndex | stats count by project_sources{}.scmEvent.message, sources{}.scmEvent.sha
2. | tstats count where index=myIndex by project_sources{}.scmEvent.message, sources{}.scmEvent.sha
For these cases I will get a table with something like this:
message1 xxxxx 30
message1 yyyyy 30
message2 xxxxx 30
message2 yyyyy 30
So it seems like the stats commands are counting all combinations of fields in element 0 and element 1 of sources.
Can I extract only one of the elements using tstats ?
(This may be a trivial thing to do, but I still haven't fully grasped how fields that are dictionaries/arrays work.)
... View more