Hi Splunkers,
Can anyone please help with search time line break for the following log.
{"audits":[{"id":"000","version":1,"modified":"2020-09-11T12:28:44.351897585Z","sortValues":null,"action":{"JobID":"97979779797","Name":"TA"},"user":"x","object":"Jobs","type":"w","identifier":"0h0hh0h0hh"},{"id":"879789","version":1,"modified":"2020-09-11T12:27:46.568076802Z","sortValues":null,"action":{"JobID":"0000000"},"user":"KKK","object":"Jobs","type":"delete","identifier":""},{"id":"90808","version":1,"modified":"2020-09-11T12:25:04.808661137Z","sortValues":null,"action":{"JobID":"9889808088","Name":"KA"},"user":"uy","object":"Jobs","type":"add","identifier":"9878979797"},
I want to break the logs using {"id.
Thank you!
Are you trying to get each audit as a separate event?
| makeresults | eval event="{\"audits\":[{\"id\":\"000\",\"version\":1,\"modified\":\"2020-09-11T12:28:44.351897585Z\",\"sortValues\":null,\"action\":{\"JobID\":\"97979779797\",\"Name\":\"TA\"},\"user\":\"x\",\"object\":\"Jobs\",\"type\":\"w\",\"identifier\":\"0h0hh0h0hh\"},{\"id\":\"879789\",\"version\":1,\"modified\":\"2020-09-11T12:27:46.568076802Z\",\"sortValues\":null,\"action\":{\"JobID\":\"0000000\"},\"user\":\"KKK\",\"object\":\"Jobs\",\"type\":\"delete\",\"identifier\":\"\"},{\"id\":\"90808\",\"version\":1,\"modified\":\"2020-09-11T12:25:04.808661137Z\",\"sortValues\":null,\"action\":{\"JobID\":\"9889808088\",\"Name\":\"KA\"},\"user\":\"uy\",\"object\":\"Jobs\",\"type\":\"add\",\"identifier\":\"9878979797\"}]}"
| spath input=event path=audits{}
| rename audits{} as audits
| mvexpand audits
| fields audits
| fields - _time
I am confused that what should be the "eval event=" ? here as I know the field=_raw.
eval event= is me just making some sample data - you can start with
... your search
| spath path=audits{}
| rename audits{} as audits
| mvexpand audits
| fields audits
| fields - _time
I tried the below query but no results.
index=test_logs
| spath path=audits{}
| rename audits{} as audits
| mvexpand audits
| fields audits
| fields - _time
Can you provide a couple of sample events?
index=test_logs
| head 2