Hi, I have the following JSON object that is indexed via the default JSON extraction (INDEXED_EXTRACTIONS) {
"assetId": 123456,
"cloudProvider": {
"aws": {
"ec2": {
...
See more...
Hi, I have the following JSON object that is indexed via the default JSON extraction (INDEXED_EXTRACTIONS) {
"assetId": 123456,
"cloudProvider": {
"aws": {
"ec2": {
...
},
"tags": [
{
"key": "AAA",
"value": "aaa"
},
{
"key": "BBB",
"value": "bbb"
},
{
"key": "CCC",
"value": "ccc"
}
]
}
}
} I'm attempting to re-write the following original search into tstats: ...
| spath output=AWS_TAGS path="cloudProvider.aws"
| latest(AWS_TAGS) AS AWS_TAGS by assetId
| spath input=AWS_TAGS output=AWS_TAGS path="tags{}"
| eval AWS_TAGS=mvmap(AWS_TAGS,spath(AWS_TAGS,"key")."::".spath(AWS_TAGS,"value")) This creates the AWS_TAGS multivalue list with the result like this for each assetId: AAA::aaa BBB::bbb CCC::ccc The issue with tstats is that the JSON object found at the path 'cloudProvider.aws' does not exist with tstats. I.e. there's no JSON object value for the TERM(cloudprovider.aws) That's why my original search had an spath, to explicitly grab the JSON object at 'cloudprovider.aws'. This way it allowed me to achieve latest tags for each assetId and preserve the key-value pairs with mvmap. With tstats, it only sees the terms cloudprovider.aws.tags{}.key and cloudprovider.aws.tags{}.value Which I could do with tstats values() but it may or may NOT be latest. Plus it will be tricky to line up them as key-value pairs. I definitely get the fact that tstats looks for terms in tsidx files so _raw is not searched. I guess the ask here is, any idea how to get the cloudprovider.aws JSON object extracted for tstats at searchtime?