I've got a feed that is sending non-compliant json since spath doesn't work on it. I put together this search index=dlp sourcetype=sft:json "{"
| head 1
| eval data='{"time": "2023-07-21T19:10:...
See more...
I've got a feed that is sending non-compliant json since spath doesn't work on it. I put together this search index=dlp sourcetype=sft:json "{"
| head 1
| eval data='{"time": "2023-07-21T19:10:48+00:00", "pid": 24086, "msec": 1689966648.059, "remote_addr": "aaa.bbb.ccc.ddd", "request_time": 0.005, "host": "sitename.noname.org", "remote_user": "-", "request_filtered": "GET /healthz HTTP/1.1", "status": 200, "body_bytes_sent": 13, "bytes_sent": 869, "request_length": 72, "http_referer_filtered": "", "http_user_agent": "-", "http_x_forwarded_for": "-", "context": "973235423dccda96a385ca21c133891632a28d91"}'
| spath input=data I'm not seeing any value for data, thus nothing for the spath. Do I need to do something special to the eval to get it to process? TIA, Joe