So I have the following _json event that I need to wrangle into a more useful format.
As you can see there are 2 key:value pairs that are related, e.g name = and value =

For example I would like to combine the following into 1 field like a re-key, but do it globally for the entire source.

name: target_user
value: rey.skywalker@jedi.com

name:target_user,value: rey.skywalker@jedi.com or target_user= rey.skywalker@jedi.com

any suggestions appreciated, I tried a props and transforms on the search head with no luck.... thx in advance

{ [-]
actor: { [-]
email: kilo.ren@sith.com
profileId: 100
}
etag: "abcd1234"
events: [ [-]
{ [-]
name: edit
parameters: [ [-]
{ [-]
boolValue: false
name: primary_event
}
{ [-]
boolValue: true
name: billable
}
{ [-]
name: doc_id
value: jakjd446532
}
{ [-]
name: doc_type
value: pdf
}
{ [-]
name: doc_title
value: Overview.pdf
}
{ [-]
name: visibility
value: shared_externally
}
{ [-]
name: owner
value: kilo.ren@sith.com
}
{ [-]
boolValue: false
name: owner_is_shared_drive
}
{ [-]
boolValue: false
name: owner_is_team_drive
}
]
type: access
}
{ [-]
name: change_user_access
parameters: [ [-]
{ [-]
boolValue: true
name: primary_event
}
{ [-]
boolValue: true
name: billable
}
{ [-]
name: visibility_change
value: external
}
{ [-]
name: target_user
value: rey.skywalker@jedi.com
}
{ [-]
multiValue: [ [+]
]
name: old_value
}
{ [-]
multiValue: [ [+]
]
name: new_value
}
{ [-]
name: old_visibility
value: private
}
{ [-]
name: doc_id
value: 1d8546542318
}
{ [-]
name: doc_type
value: pdf
}
{ [-]
name: doc_title
value: Overview.pdf
}
{ [-]
name: visibility
value: shared_externally
}
{ [-]
name: owner
value: kilo.ren@sith.com
}
{ [-]
boolValue: false
name: owner_is_shared_drive
}
{ [-]
boolValue: false
name: owner_is_team_drive
}
]
type: acl_change
}
]
id: { [-]
applicationName: drive
customerId: abcd1234
time: 2020-01-12T18:42:34.543Z
uniqueQualifier: 123456
}
kind: admin#reports#activity
}
Show as raw text