First off, please post raw text to illustrate data (not Splunk's contracted display). You already get a fields DeviceProperties{}.Name and DeviceProperties{}.Value. There are several ways to transf...
See more...
First off, please post raw text to illustrate data (not Splunk's contracted display). You already get a fields DeviceProperties{}.Name and DeviceProperties{}.Value. There are several ways to transform that into the table format you want, one of which do not require any field extraction. But let me use extraction - because when dealing with structured data such as JSON, it is important to not attempt to text extraction such as regex. DeviceProperties is an array. That is why Splunk flattens it into the notation of {}. The most straightforward method is spath command toward this array, run mvexpand over the array so they become single-valued hash elements, then run spath over these elements: | spath path=DeviceProperties{}
| mvexpand DeviceProperties{}
| spath input=DeviceProperties{} This will give you a field called Name, and a field called Value. All you need to do is to transpose it. So, you add | table Name Value
| transpose 0 header_field=Name column_name=_ This, of course is assuming that you only have one event. If you have multiple events, you must have a unique event key for each row. (When asking a question, these constraints must be clearly stated. Asking volunteers to read your mind is never a good idea.) Assuming that unique key is called "UniqueKey" for each event (it could be a combination of existing fields, just like in SQL), you can use xyseries instead of transpose. | xyseries UniqueKey Name Value