Hi all, I'm trying to convert the message body of my events into fields. The structure of the event message is in a comma delimeted key-value pair format. An example of the structure is: Time ...
See more...
Hi all, I'm trying to convert the message body of my events into fields. The structure of the event message is in a comma delimeted key-value pair format. An example of the structure is: Time Event 10/08/2021 15:09:49.000 Timestamp,10/08/2021 15:09:49,Environment,EUAT,Artefact,ICE,Application,ICE,Domain,ws,Status,RUNNING 10/08/2021 15:09:49.000 Timestamp,10/08/2021 15:09:49,Environment,EUAT,Artefact,ICE,Application,Radiating Whitespaced App,Domain,dc,Status,ERROR 10/08/2021 15:09:49.000 Timestamp,10/08/2021 15:09:49,Environment,DEV,Artefact,MC,Application,MCIO,AppID,4,Hostname,4569erg,Domain,wsdc,Status,STOPPED Is there a way, through a search query to make every odd value a 'field' and every even value a corresponding 'value' for that field. Therefore, 'Timestamp' would be a field, with it's corresponding value, then 'Environment' would be the next field. The tricky part is that there can be varying lengths of key-value pair strings in the events. For instance, the first row has 6 pairs of key-value pairs, whereas the third row has 8. Any help would be greatly appreciated!