How to create list data type value from search spl...

vivekbs · ‎08-16-2022

section for calculation_window_telemetry in /apps/SA-ITOA/default/savedsearches.conf:

"""
search = | inputlookup calculation_window_telemetry_lookup | eval zipped = mvzip('kpis.title', 'kpis.search_alert_earliest' , ",") | fields - kpis.title, kpis.search_alert_earliest| mvexpand zipped | eval x = split(zipped,",") | eval kpi_title = mvindex(x, 0) | eval search_alert_earliest = mvindex(x, 1) | fields - x, zipped| eval calculation_window_{search_alert_earliest}_min = 1 | where kpi_title!="ServiceHealthScore" | fields calc* | stats sum(*) as *
"""

Search Query:

"""
| savedsearch calculation_window_telemetry
  | fields calculation_window_1_min calculation_window_5_min calculation_window_15_min calculation_window_1440_min | addtotals
  | rename Total as data.calculationWindowUsage.predefinedWindow.totalCount
  | rename calculation_window_1_min as data.calculationWindowUsage.predefinedWindow.calculationWindowValueCount.calculation_window_1_min
  | rename calculation_window_5_min as data.calculationWindowUsage.predefinedWindow.calculationWindowValueCount.calculation_window_5_min
  | rename calculation_window_15_min as data.calculationWindowUsage.predefinedWindow.calculationWindowValueCount.calculation_window_15_min
  | rename calculation_window_1440_min as data.calculationWindowUsage.predefinedWindow.calculationWindowValueCount.calculation_window_1440_min
  | append [ | savedsearch calculation_window_telemetry
  | fields - calculation_window_1_min calculation_window_5_min calculation_window_15_min calculation_window_1440_min | addtotals
  | rename Total as data.calculationWindowUsage.customWindow.totalCount
  | rename "calculation*" as data.calculationWindowUsage.customWindow.calculationWindowValueCount.calculation*]
  | stats first(*) as * | fillnull | makejson version(string),data.* output=event | table event
"""

Current output:

{
	"data": {
		"calculationWindowUsage": {
			"customWindow": {
				"calculationWindowValueCount": {
					"calculation_window_1260_min": 1,
					"calculation_window_111_min": 1
				},
				"totalCount": 2
			},
			"predefinedWindow": {
				"calculationWindowValueCount": {
					"calculation_window_1440_min": 1,
					"calculation_window_15_min": 1,
					"calculation_window_1_min": 1,
					"calculation_window_5_min": 1
				},
				"totalCount": 4
			}
		}
	}
}

Expected output:

{
  "data": {
    "calculationWindowUsage": {
      "customWindow": {
        "calculationWindowValueCount": [{
          "calculation_window_value": 1260,
          "count": 1
        },
        {
          "calculation_window_value": 111,
          "count": 1
        }],
        "total_count": 2
    },
    "predefinedWindow": {
      "calculationWindowValueCount": [{
          "calculation_window_value": 1,
          "count": 1
        },
        {
          "calculation_window_value": 5,
          "count": 1
        },
        {
          "calculation_window_value": 15,
          "count": 1
        },
        {
          "calculation_window_value": 1440,
          "count": 1
        }],
        "total_count": 4,
      }
    }
  }
}

I required output in list of dictionary, can anyone help me on this.
Thank you.

How to create list data type value from search spl query ?

table

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases