1 Solution
Does the following search help? This uses json_ functions and mvexpand to split out and then match up the fields and expressions:
| datamodel
| spath output=modelName modelName
|search modelName=Network_Traffic
| eval objects=json_array_to_mv(json_extract(_raw,"objects"))
| mvexpand objects
| eval calculations=json_array_to_mv(json_extract(objects,"calculations"))
| mvexpand calculations
| eval outputFields=json_array_to_mv(json_extract(calculations,"outputFields"))
| mvexpand outputFields
| eval fieldName=json_extract(outputFields,"fieldName")
| eval expression=json_extract(calculations,"expression")
| table modelName fieldName expression
Does the following search help? This uses json_ functions and mvexpand to split out and then match up the fields and expressions:
| datamodel
| spath output=modelName modelName
|search modelName=Network_Traffic
| eval objects=json_array_to_mv(json_extract(_raw,"objects"))
| mvexpand objects
| eval calculations=json_array_to_mv(json_extract(objects,"calculations"))
| mvexpand calculations
| eval outputFields=json_array_to_mv(json_extract(calculations,"outputFields"))
| mvexpand outputFields
| eval fieldName=json_extract(outputFields,"fieldName")
| eval expression=json_extract(calculations,"expression")
| table modelName fieldName expression
