Solved: Re: How to create fields based on multivalue field...

denissotoacc · ‎06-10-2022

I have the following json event:

{
  "tags": 
  [
    {"key":"Name","value":"Damian"},
    {"key":"Age","value":34},
    {"key":"Country","value":"Argentina"},
    {"key":"City","value":"Buenos Aires"}
  ]
}

I need to extract the correspondent fields in my event, with the key and value:

Name="Damian"
Age="34"
Country="Argentina"
City="Buenos Aires"

This is what I tried:

| spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| eval {a_keys} = a_value

But the result of it is a multivalued field:

Name Age Country City = [ "Damian", "34", "Argentina", "Buenos Aires" ]

How can I create the correct fields?

ITWhisperer · ‎06-10-2022

| spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| streamstats count as _event
| eval n_values=mvrange(0,mvcount(a_keys))
| mvexpand n_values
| foreach a_*
    [| eval _key=mvindex(a_keys,n_values)
    | eval {_key}=mvindex(a_values,n_values)]
| stats values(*) as * values(_*) as _* by _event
| fields - n_values

View solution in original post

ITWhisperer · ‎06-10-2022

| spath path=tags{}.key output=a_keys
| spath path=tags{}.value output=a_values
| streamstats count as _event
| eval n_values=mvrange(0,mvcount(a_keys))
| mvexpand n_values
| foreach a_*
    [| eval _key=mvindex(a_keys,n_values)
    | eval {_key}=mvindex(a_values,n_values)]
| stats values(*) as * values(_*) as _* by _event
| fields - n_values

How to create fields based on multivalue field of keys, and multivalue field of values

eval

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?