I have a field named "test" which has the following json. If I do:
| fields
test{}.data{}{}.metric,
test{}.data{}{}.value,
| table test{}.data{}{}.metric perfdata{}.data{}{}.value
I get (first item) a, 20 and b, 10 etc. in my table
How do I search to get (second item) p, 50 and q, 60 etc. in my table? Trying test{}[1] did not work for me.
Thanks.
[
{
"data": [
[
{
"metric": "a",
"variables": {
"Task": "x"
},
"value": 20
},
{
"metric": "b",
"variables": {
"Task": "y"
},
"value": 10
},
{
"metric": "c",
"variables": {
"Task": "z"
},
"value": 745
}
]
]
},
{
"data": [
[
{
"metric": "p",
"variables": {
"Task": "e"
},
"value": 50
},
{
"metric": "q",
"variables": {
"Task": "f"
},
"value": 60
},
{
"metric": "r",
"variables": {
"Task": "g"
},
"value": 70
}
]
]
}
]
index=_internal | head 1 | fields _raw
| eval _raw="[{\"data\":[[{\"metric\":\"a\",\"variables\":{\"Task\":\"x\"},\"value\":20},{\"metric\":\"b\",\"variables\":{\"Task\":\"y\"},\"value\":10},{\"metric\":\"c\",\"variables\":{\"Task\":\"z\"},\"value\":745}]]},{\"data\":[[{\"metric\":\"p\",\"variables\":{\"Task\":\"e\"},\"value\":50},{\"metric\":\"q\",\"variables\":{\"Task\":\"f\"},\"value\":60},{\"metric\":\"r\",\"variables\":{\"Task\":\"g\"},\"value\":70}]]}]"
| spath {}.data{}{} output=data
| stats count by data
| spath input=data
| table metric variables* value
index=_internal | head 1 | fields _raw
| eval _raw="[{\"data\":[[{\"metric\":\"a\",\"variables\":{\"Task\":\"x\"},\"value\":20},{\"metric\":\"b\",\"variables\":{\"Task\":\"y\"},\"value\":10},{\"metric\":\"c\",\"variables\":{\"Task\":\"z\"},\"value\":745}]]},{\"data\":[[{\"metric\":\"p\",\"variables\":{\"Task\":\"e\"},\"value\":50},{\"metric\":\"q\",\"variables\":{\"Task\":\"f\"},\"value\":60},{\"metric\":\"r\",\"variables\":{\"Task\":\"g\"},\"value\":70}]]}]"
| spath {}.data{}{} output=data
| stats count by data
| spath input=data
| table metric variables* value
Thank you.