Data resembles this pattern.
| makeresults
| eval _raw="{\"foo\": [{\"randstring1\": {\"fqdn\" : \"ibar.example.com\"}}, {\"randstring2\": {\"fqdn\" : \"jbar.example.com\"} }]}"
I am trying to extract the two FQDNs when the containing field name foo{}.* is a random string. Any hints on how to get this data?
I've tried a few different options with spath and can't seem to get it to work. I could try a rex, but I was really hoping to avoid that.
Basically, what I want at the end is a field (multivalue in this case) that has as value ibar.example.com and jbar.example.com.
... View more