- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot use any of the fields extracted by spath inside an eval. The result is always null.
Input: (formatted for easy reading)
{
"meta": {
"emit_interval_s": 600
},
"operations": {
"kv": {
"Get": {
"total_count": 4,
"percentiles_us": {
"75": 17747.0,
"95": 18706.0,
"98": 18706.0,
"99": 18706.0,
"100": 18706.0
}
},
"GetClusterConfig": {
"total_count": 708,
"percentiles_us": {
"75": 13723.0,
"95": 14339.550000000001,
"98": 14567.56,
"99": 18207.0,
"100": 18207.0
}
},
"GetMeta": {
"total_count": 4,
"percentiles_us": {
"75": 15776.75,
"95": 16761.0,
"98": 16761.0,
"99": 16761.0,
"100": 16761.0
}
}
}
}
}
And this is query:
| spath input=json_field | eval a=operations.kv.Get.percentiles_us.100 | table json_field operations.kv.Get.percentiles_us.100 a
In the output, a is always null but the operations.kv.Get.percentiles_us.100 always displays the correct value.
What's happening here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, I've found the answer already. The trick is to use rename.
| rename operations.kv.Get.total_count as totalCount, operations.kv.Get.percentiles_us.100 as getPercentile100us | eval getPercentile100ms=(getPercentile100us/1000)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, I've found the answer already. The trick is to use rename.
| rename operations.kv.Get.total_count as totalCount, operations.kv.Get.percentiles_us.100 as getPercentile100us | eval getPercentile100ms=(getPercentile100us/1000)
