Hi, this still is not working.
Here are a couple of information items:
1. For 'contextTypes' and 'contextValues', there can be anywhere from 1 pair to 25+ pairs. For "| eval temp=split("my,my,my,my,my,my,my,my,my,my", ",")", there are only 10 "my". This exact alert actually has 12 "pairs".
2. There may be anywhere from 1 to 25+ alerts in a sampling period (i.e past 24 hours) (my example above just happened to have 10 results at that time)
Here is my current code:
index=util_prod source=nutanix:alerts alertTypeUuid=A1024
| kv
| rename raw AS orig_raw
| rename *{} as *
| eval temp=split("my,my,my,my,my,my,my,my,my,my", ",")
| eval _raw=mvzip(temp,mvzip(contextTypes,contextValues,"="),"")
| kv
| fields - raw
| foreach my* [eval message=replace(message,"{"."< >"."}","\""+< >+"\"")]
| fields message
| table message
Here is what "_raw" is for the first result (I skewed some of the content data):
{"lastOccurrenceTimeStampInUsecs": 1555645972077454, "contextTypes": ["ip_address", "vm_type", "reboot_timestamp_str", "service_vm_external_ip", "service_vm_id", "maintenance_mode", "reboot_timestamp_secs", "ncc_version", "nos_version", "node_uuid", "node_serial", "block_serial"], "createdTimeStampInUsecs": 1555645972077454, "acknowledgedByUsername": "", "contextValues": ["10.1.2.3", "CVM", "Fri Apr 19 03:44:00 2019", "10.1.2.3", "43", "false", "15556734544210", "3.5.3.1-7663af3f", "5.5.4", "83f67898-7322-4945-b29d-7200b899433586f", "OM173S043400296", "17SM76343320208"], "resolved": false, "detailedMessage": "", "resolvedTimeStampInUsecs": 0, "clusterUuid": "0005591a-8548-03cb-0000-000043000176d5", "acknowledgedTimeStampInUsecs": 0, "checkId": "0005591a-8548-03cb-0000-0043400000176d5::3028", "nodeUuid": "83f67898-7322-4945-b29d-7200b434899586f", "alertTitle": "{vm_type} {ip_address} rebooted", "resolvedByUsername": "", "alertTypeUuid": "A1024", "originatingClusterUuid": "0005591a-8548-03cb-0000-0000434000176d5", "impact": "kUnknown", "alertDetails": null, "id": "abb434d6874-a78f-4f87-b066-c641be4ec904", "entityIds": ["0005594341a-8548-03cb-0000-0000000176d5::43"], "entityTypes": ["host"], "severity": "kCritical", "serviceVMId": "0005591a-8548-03cb-004300-0000000176d5::43", "categories": ["SystemIndicator", "ControllerVM"], "possibleCauses": [], "message": "{vm_type} {ip_address} has been rebooted on {reboot_timestamp_str}.", "acknowledged": false, "autoResolved": false, "entityUuids": ["83f67898-7322-4945-b29d-7200b65899586f"]}
I even added "| head 1" and the new code still fails.
Thoughts?
... View more