Hi, I have fields from a JSON file that are getting parsed like this:
I'm struggling to find a way to turn those fields into columns in a table. Anyone have any experience with this?
Thank you
Hi, would something like this work for you?
|makeresults
| eval json="{\"Packets\":{\"0\": 4, \"1\": 3}, \"Bytes\":{\"0\":8, \"1\":42} }"
| spath input=json
| table Packets.* Bytes.*
Basically I take the string, parse it to json, then I can use dot notation and wildcards to extract the key names to be column names.
Okay, I misunderstood. I think you are asking for something like this?
Index Packet Bytes
0 1 10
1 4 40
2 2 20
|makeresults
| eval json="{\"Packets\":{\"0\": 4, \"1\": 3}, \"Bytes\":{\"0\":8, \"1\":42} }"
| spath input=json
| table Packets.* Bytes.*
| eval indexes=null(),
packets=null(),
bytes=null()
| foreach Packets.* [ eval indexes=mvappend(indexes,"<<MATCHSEG1>>"), packets=mvappend(packets,'<<FIELD>>') ]
| foreach Bytes.* [ eval bytes=mvappend(bytes,'<<FIELD>>') ]
| eval i_p_b=mvzip(mvzip(indexes, packets), bytes)
| fields i_p_b
| mvexpand i_p_b
| rex field=i_p_b "^(?<index>\d+),(?<packet>\d+),(?<bytes>\d+)"
Yes, this is exactly what I'm looking for. However, when I run it on my data (with all fields included), my table is empty. What am I doing wrong?
