topic Re: Extract value from string array in Getting Data In

Extract value from string array

max_jay — Mon, 23 Dec 2019 08:13:29 GMT

Log
{"thread":"scheduling-1","level":"INFO","loggerName":"com.Logger","message":"{\"eventPipelineId\":\"9099939b-dbaa-405a-acca-4bb1a34947ca\",\"sourceStreamNames\":[\"FROCE\"],\"teamName\":\"abc\",\"eventPipelineName\":\"FMS\",\"alertEmail\":null,\"teamId\":\"6bd87eb2-f39c-4a28-ba6c-81cb4d5f7e78\",\"sourceActivityIds\":[\"7f6ba562-0179-4093-9df6-68778bf7880a\"],\"HTTP_DELIVERY\":true,\"activityIds\":[\"59bdc1cb-1842-45e5-aec2-d47c204c1d63\"],\"activityNames\":[\"HTTP\"],\"communicationEmail\":null,\"sourceActivityNames\":[\"FMS2\"]}","endOfBatch":false,"loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","instant":{"epochSecond":1577075374,"nanoOfSecond":380000000},"contextMap":{"X-B3-SpanId":"0715d09baa318543","X-B3-TraceId":"5e0042adb80e1a350715d09baa318543","X-Span-Export":"true","spanExportable":"true","spanId":"0715d09baa318543","traceId":"5e0042adb80e1a350715d09baa318543"},"threadId":30,"threadPriority":5,"logGroup":"test-Service"}

Query

index=app  | spath input=_raw output=loggerName path=loggerName | search loggerName="com.Logger" | spath input=message | table eventPipelineName, sourceStreamNames

Result

|eventPipelineName  | sourceStreamNames |
|FMS                |                   |

There are two problems
1. Am not getting sourceStreamNames. It is empty.
2. After getting value need to fetch first value from array value.

Expected result

|eventPipelineName  | sourceStreamNames |
|FMS                |      FROCE        |

Re: Extract value from string array

kamlesh_vaghela — Mon, 23 Dec 2019 17:01:51 GMT

@max_jay

Can you please try this?

 index=app | eval _raw=message | extract | rename "sourceStreamNames{}" as sourceStreamNames | table eventPipelineName sourceStreamNames

Sample Search:

| makeresults 
| eval _raw="{\"thread\":\"scheduling-1\",\"level\":\"INFO\",\"loggerName\":\"com.Logger\",\"message\":\"{\\\"eventPipelineId\\\":\\\"9099939b-dbaa-405a-acca-4bb1a34947ca\\\",\\\"sourceStreamNames\\\":[\\\"FROCE\\\"],\\\"teamName\\\":\\\"abc\\\",\\\"eventPipelineName\\\":\\\"FMS\\\",\\\"alertEmail\\\":null,\\\"teamId\\\":\\\"6bd87eb2-f39c-4a28-ba6c-81cb4d5f7e78\\\",\\\"sourceActivityIds\\\":[\\\"7f6ba562-0179-4093-9df6-68778bf7880a\\\"],\\\"HTTP_DELIVERY\\\":true,\\\"activityIds\\\":[\\\"59bdc1cb-1842-45e5-aec2-d47c204c1d63\\\"],\\\"activityNames\\\":[\\\"HTTP\\\"],\\\"communicationEmail\\\":null,\\\"sourceActivityNames\\\":[\\\"FMS2\\\"]}\",\"endOfBatch\":false,\"loggerFqcn\":\"org.apache.logging.log4j.spi.AbstractLogger\",\"instant\":{\"epochSecond\":1577075374,\"nanoOfSecond\":380000000},\"contextMap\":{\"X-B3-SpanId\":\"0715d09baa318543\",\"X-B3-TraceId\":\"5e0042adb80e1a350715d09baa318543\",\"X-Span-Export\":\"true\",\"spanExportable\":\"true\",\"spanId\":\"0715d09baa318543\",\"traceId\":\"5e0042adb80e1a350715d09baa318543\"},\"threadId\":30,\"threadPriority\":5,\"logGroup\":\"test-Service\"}" 
| extract | eval _raw=message 
| extract | rename "sourceStreamNames{}" as sourceStreamNames 
| table eventPipelineName sourceStreamNames

Thanks

Re: Extract value from string array

max_jay — Mon, 23 Dec 2019 18:11:38 GMT

Thanks, it worked!