How to parse array to get only required attribute?

Techie · ‎02-01-2023

Hello,

I have an array of timeline event.

Timeline: [ [-]
       { [-]
         deltaToStart: 788
         startTime: 2023-02-01T21:56:11Z
         type: service1
       }
       { [-]
         deltaToStart: 653
         startTime: 2023-02-01T21:56:11.135Z
         type: service2
       }
     ]

I would like to table deltaToStart value only of type service1.

Thanks.

Techie · ‎02-03-2023

@ITWhisperer , thanks for responding. Can you also help me to calculate sum of both durations and table all 3 fields (message.duration, deltaToStart, total_time)

total_time = message.duration + deltaToStart (of type service1)

message: { [-]
duration: 182
Timeline: [ [-]
{ [-]
deltaToStart: 788
startTime: 2023-02-01T21:56:11Z
type: service1
}
{ [-]
deltaToStart: 653
startTime: 2023-02-01T21:56:11.135Z
type: service2
}
]
}

ITWhisperer · ‎02-03-2023

What have you tried so far?

ITWhisperer · ‎02-02-2023

Try something like this

| spath Timeline{} output=Timeline
| mvexpand Timeline
| spath input=Timeline
| where type="service1"
| table deltaToStart

How to parse array to get only required attribute?

field extraction

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How to parse array to get only required attribute?

field extraction

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...