Hello,
I'm faced today with something I do not understand.
Here the structure of my event (JSON structured) :
{
dateReponse: 1618309228736
dateRequete: 1618309228622
id: 4572d
reponse: {
dossier: [
{
$c: PERSONNE
$i: 1
$l: 1
dateCreation: 1477036197000
dateModification: 1495047526000
id: 1
}
{
$c: IDENTITE
$i: 2
$l: 1
dateCreation: 1477036197000
dateModification: 1513858108603
nom: NOM1
prenom: prenom1
}
{
$c: IDENTITE
$i: 3
$l: 1
dateCreation: 1479206837000
dateModification: 1513858108603
nom: NOM2
}
]
}
}
I'd like to fillnum the field reponse.dossier{}.prenom with "unknown" when not present.
The content keep being blank.
I tried adding mvexpand and spath (even if it's already json parsed), no luck.
| mvexpand reponse.dossier{}.nom
| spath input=reponse.dossier{}
| fillnull value="unkown" reponse.dossier{}.prenom
I've tried adding a complete new field after reponse.dossier{}.prenom in the fillnull command, it worked just fine for the new field. Still not for my reponse.dossier{}.prenom.
I think I missed something, somewhere.
Any suggestion ?
Thanks in advance,
Ema
hi @emallinger,
You need to expand all the child dictionaries in the field dossier. Try this, here the field name will be prenom instead of reponse.dossier{}.prenom.
index=index spurcetype=sourcetype
| rex max_match=0 "(?<event>\{[^\{]+?\})"
| mvexpand event
| spath input=event
| fillnull value="unkown" prenom
If this reply helps you, a like would be appreciated.
Hi !
Thank you very much !
Now I just have to integrate this into my whole request, but it'll be fine .
Regards,
Ema
hi @emallinger,
You need to expand all the child dictionaries in the field dossier. Try this, here the field name will be prenom instead of reponse.dossier{}.prenom.
index=index spurcetype=sourcetype
| rex max_match=0 "(?<event>\{[^\{]+?\})"
| mvexpand event
| spath input=event
| fillnull value="unkown" prenom
If this reply helps you, a like would be appreciated.