So there are two ways I can think of parsing this One using MVExpand <base_search>
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indi...
See more...
So there are two ways I can think of parsing this One using MVExpand <base_search>
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indicator_json=case(
isnull(indicators), null(),
mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()),
mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()))
)
| fields - indicators
``` Method 1 using MVExpand ```
| mvexpand time_count_indicator_json
| spath input=time_count_indicator_json
| fields - time_count_indicator_json and another that is parsing an array of json_objects matching your criteria of only events "timeCountIndicator" <base_search>
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indicator_json=case(
isnull(indicators), null(),
mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()),
mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()))
)
| fields - indicators
``` Method 2 parsing MV Field as array of json_objects ```
| eval
time_count_indicator_json_array="[".mvjoin(time_count_indicator_json, ",")."]"
| spath input=time_count_indicator_json_array
| fields - time_count_indicator_json, time_count_indicator_json_array
| rename
"{}.*" as * I personally find the mvexpand method to be a much cleaner output to work with. Method 2 could potentially lead to mvfields being unaligned if any of the json_objects have a null value for that field. But depend on the use case and data volume you are trying to parse because mvexpand can be memory intensive. SPL used to replicate: | makeresults
| eval
_raw="{\"env\": \"prod\", \"host\": \"prod\", \"name\": \"appName\", \"info\": {\"data\": [], \"indicators\": [{\"details\": {\"A.runTime\": 434, \"A.Count\": 0, \"B.runTime\": 0, \"B.Count\": 0}, \"name\": \"timeCountIndicator\", \"status\": \"UP\"}, {\"details\": {\"A.downCount\": 2, \"A.nullCount\": 0, \"B.downCount\": 0, \"B.nullCount\": 0}, \"name\": \"downCountIndicator\", \"status\": \"UP\"}, {\"details\": {\"A.runTime\": 333, \"A.Count\": 2, \"B.runTime\": 21, \"B.Count\": 4}, \"name\": \"timeCountIndicator\", \"status\": \"UP\"}], \"status\": \"DOWN\"}, \"metrics\": {}, \"ping\": 1}"
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indicator_json=case(
isnull(indicators), null(),
mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()),
mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()))
)
| fields - indicators
``` Method 1 using MVExpand ```
| mvexpand time_count_indicator_json
| spath input=time_count_indicator_json
| fields - time_count_indicator_json
``` Method 2 parsing MV Field as array of json_objects ```
```
| eval
time_count_indicator_json_array="[".mvjoin(time_count_indicator_json, ",")."]"
| spath input=time_count_indicator_json_array
| fields - time_count_indicator_json, time_count_indicator_json_array
| rename
"{}.*" as *
```