Hi all,
I'm trying to convert the message body of my events into fields.
The structure of the event message is in a comma delimeted key-value pair format. An example of the structure is:
| Time | Event |
10/08/2021
15:09:49.000 | Timestamp,10/08/2021 15:09:49,Environment,EUAT,Artefact,ICE,Application,ICE,Domain,ws,Status,RUNNING |
10/08/2021
15:09:49.000 | Timestamp,10/08/2021 15:09:49,Environment,EUAT,Artefact,ICE,Application,Radiating Whitespaced App,Domain,dc,Status,ERROR |
10/08/2021
15:09:49.000 | Timestamp,10/08/2021 15:09:49,Environment,DEV,Artefact,MC,Application,MCIO,AppID,4,Hostname,4569erg,Domain,wsdc,Status,STOPPED |
Is there a way, through a search query to make every odd value a 'field' and every even value a corresponding 'value' for that field. Therefore, 'Timestamp' would be a field, with it's corresponding value, then 'Environment' would be the next field.
The tricky part is that there can be varying lengths of key-value pair strings in the events. For instance, the first row has 6 pairs of key-value pairs, whereas the third row has 8.
Any help would be greatly appreciated!
