my search :
SEARCH...
| rex field=Message "^(?<Short>.*),\sRequestBody:\s(?<ShortMessage>[^\s]+)\".*$"
| spath input=ShortMessage
| rename sapResponseData{}.contractAccounts{}.nameId AS NameId sapResponseData{}.contractAccounts{}.contractAccount AS ContractAccountNumber sapResponseData{}.contractAccounts{}.sapResponses{}.contractNumber AS ContractNumber sapResponseData{}.contractAccounts{}.sapResponses{}.messageId AS messageId sapResponseData{}.contractAccounts{}.sapResponses{}.messageNumber AS messageNumber sapResponseData{}.contractAccounts{}.sapResponses{}.dataset AS dataSet metadata.correlationId AS CorrelationId metadata.sendDate AS SendDate metadata.sendTime AS SendTime
| lookup dataset_lookup.csv dataset AS dataSet OUTPUTNEW usage AS Usage
| table _time NameId ContractAccountNumber ContractNumber messageId messageNumber dataSet Usage CorrelationId SendDate SendTime
new field after split field:
{
"sapResponseData": [
{
"responseOriginatedIn": "ERROR",
"contractAccounts": [
{
"nameId": "ABC_999999999999999",
"contractAccount": "888888888888",
"sapResponses": [
{
"contractNumber": 999999999,
"responseCode": "002",
"messageId": "DEF456",
"messageNumber": "031",
"dataset": "002"
},
{
"contractNumber": 999999999,
"responseCode": "002",
"messageId": "ABC123",
"messageNumber": "094",
"dataset": "001"
}
]
}
]
}
],
"metadata": {
"correlationId": "Correlation_ID",
"priority": "LOW",
"sendDate": "2019-03-21",
"sendTime": 224813
}
}
currently sapResponses all appear in the same field in the table
How to create new events per sapResponse ? and keep metadata for all events ?
... View more