Solved: How to create fields based on multivalue field of ...

denissotoacc · ‎06-10-2022

I have the following json event:

{
  "tags": 
  [
    {"key":"Name","value":"Damian"},
    {"key":"Age","value":34},
    {"key":"Country","value":"Argentina"},
    {"key":"City","value":"Buenos Aires"}
  ]
}

I need to extract the correspondent fields in my event, with the key and value:

Name="Damian"
Age="34"
Country="Argentina"
City="Buenos Aires"

This is what I tried:

| spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| eval {a_keys} = a_value

But the result of it is a multivalued field:

Name Age Country City = [ "Damian", "34", "Argentina", "Buenos Aires" ]

How can I create the correct fields?

ITWhisperer · ‎06-10-2022

| spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| streamstats count as _event
| eval n_values=mvrange(0,mvcount(a_keys))
| mvexpand n_values
| foreach a_*
    [| eval _key=mvindex(a_keys,n_values)
    | eval {_key}=mvindex(a_values,n_values)]
| stats values(*) as * values(_*) as _* by _event
| fields - n_values

View solution in original post

ITWhisperer · ‎06-10-2022

| spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| streamstats count as _event
| eval n_values=mvrange(0,mvcount(a_keys))
| mvexpand n_values
| foreach a_*
    [| eval _key=mvindex(a_keys,n_values)
    | eval {_key}=mvindex(a_values,n_values)]
| stats values(*) as * values(_*) as _* by _event
| fields - n_values

How to create fields based on multivalue field of keys, and multivalue field of values

eval

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to create fields based on multivalue field of keys, and multivalue field of values

eval

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming