topic Re: Removing Single Fields From a List of Maps in Splunk Search https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540611#M152950 <P>&nbsp;</P><LI-CODE lang="markup">index=_internal | head 1 |fields _raw | eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}" | spath stages{} output=stages | stats count by stages | streamstats count as session | spath input=stages children{} output=child | spath input=stages duration | spath input=stages status | stats values(duration) as duration values(status) as status by session child | spath input=child | fields - session child</LI-CODE><P>&nbsp;</P><P>You can make a table with it.</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal | head 1 |fields _raw | eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}" | rex mode=sed "s/children\":\[.*?\]/children\":[]/g"</LI-CODE><P>If you want to delete it, try this.</P><P>&nbsp;</P> Sat, 20 Feb 2021 01:58:27 GMT to4kawa 2021-02-20T01:58:27Z Removing Single Fields From a List of Maps https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540594#M152944 <P>Hi,</P><P>I have an event json similar to:<BR /><BR />{"stages":[{"duration":12,"status":"Success","children":[{"test":"integration","result":"passed"},{"test":"regression","result":"failed"}]},{"duration":1.5,"status":"Success","children":[{"test":"unit","result":"passed"},{"test":"regression","result":"passed"}]},{"duration":3.1,"status":"Success","children":[{"test":"integration","result":"passed"},{"test":"unit","result":"failed"}]}]}</P><P>where children is a list of maps inside a list of maps.&nbsp; The problem is that this list is so large that it exceeds the 10000 character limit.&nbsp; I don't have admin access so cannot increase this limit.&nbsp; What I would like to is remove the children field inside of each map in the stages list.&nbsp; I've tried numerous attempts without any luck.&nbsp; Anyone know of a way to do this?</P><P>Thanks</P> Fri, 19 Feb 2021 22:57:45 GMT https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540594#M152944 steeleverint 2021-02-19T22:57:45Z Re: Removing Single Fields From a List of Maps https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540611#M152950 <P>&nbsp;</P><LI-CODE lang="markup">index=_internal | head 1 |fields _raw | eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}" | spath stages{} output=stages | stats count by stages | streamstats count as session | spath input=stages children{} output=child | spath input=stages duration | spath input=stages status | stats values(duration) as duration values(status) as status by session child | spath input=child | fields - session child</LI-CODE><P>&nbsp;</P><P>You can make a table with it.</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal | head 1 |fields _raw | eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}" | rex mode=sed "s/children\":\[.*?\]/children\":[]/g"</LI-CODE><P>If you want to delete it, try this.</P><P>&nbsp;</P> Sat, 20 Feb 2021 01:58:27 GMT https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540611#M152950 to4kawa 2021-02-20T01:58:27Z Re: Removing Single Fields From a List of Maps https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540925#M153094 <P>Thanks.&nbsp; That did the trick.&nbsp; Just did a slight modification to remove the field altogether:<BR /><BR />rex mode=sed "s/\"children\":\[.*?\],//g"</P> Mon, 22 Feb 2021 23:36:14 GMT https://community.splunk.com/t5/Splunk-Search/Removing-Single-Fields-From-a-List-of-Maps/m-p/540925#M153094 steeleverint 2021-02-22T23:36:14Z