Hi @dubiza, sorry for the delay.
Spath can work as a function (within eval): https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/TextFunctions#spath.28X.2CY.29
Or as a command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
But the behaviour is pretty much the same.
myJSON is just a random variable name I chose to test the raw json data provided in the question, but this could be your actual event, in which case you would just need to change that in the first spath. Now, that first spath extracts from your raw json (myJSON), based on the path
"Request.capability.Attributes{}" into the new variable req_cap_attr.
The second spath extracts everything from myJSON automatically, creating field names based on the JSON hierarchy. The reason req_cap_attr is extracted separately is because we would like to create new field names based on the values inside the "Request.capability.Attributes{}" branch in a dynamic way by first extracting them with regex:
| rex field=req_cap_attr "\"[^\"]+\"\s*:\s*\"(?<key>[^\"]+)\"\s*\,\s*\"[^\"]+\"\s*:\s*\"(?<value>[^\"]+)\""
And then dynamically generating those field names with the following syntax:
| eval {key} = value
That syntax above is the one responsible for the field names in the attached screenshot above.
Hope that clarifies a little. It's been more than 1 year since I answered this.
By the way, if you like my answer don't forget to upvote it so that others can find it quicker too.
Thanks,
Javier
... View more
