Hi all .
This is an example of a json i'm sending to my Splunk cloud.
{ "workers": [
{
"UserID": 100000906,
"ActiveShiftName": "learning sports",
"WorkerName": "tim",
"CurrentRoleInShift": "Tagger",
"IsLogged": true,
"TimeFromLastEventSaved": "00:00:13.2323651",
"TimeFromLastEventApproved": null,
"TotalEventsSavedInPast30Min": 68,
"TotalEventsApprovedInPast30Min": 0
},
{
"UserID": 100002137,
"ActiveShiftName": "learning sports",
"WorkerName": "liverpool2",
"CurrentRoleInShift": null,
"IsLogged": false,
"TimeFromLastEventSaved": null,
"TimeFromLastEventApproved": null,
"TotalEventsSavedInPast30Min": 0,
"TotalEventsApprovedInPast30Min": 0
} ] }
I would like to build a table with this fields :
workers{}.active_shift_name
workers{}.worker_name
workers{}.worker_id CurrentRoleInShift
workers{}.TimeFromLastEventSaved
workers{}.TimeFromLastEventApproved
workers{}.IsLogged
I tried multiple commands with no success
For an example I tried this command :
index="Test1" | spath input=_raw path="workers{}.ActiveShiftName" output=active_shift_name | spath input=_raw path="workers{}.WorkerName" output=worker_name |spath input=_raw path="workers{}.UserID" output=worker_id |spath input=_raw path="workers{}.CurrentRoleInShift" output=CurrentRoleInShift |spath input=_raw path="workers{}.TimeFromLastEventSaved" output=TimeFromLastEventSaved |spath input=_raw path="workers{}.TimeFromLastEventApproved" output=TimeFromLastEventApproved |spath input=_raw path="workers{}.TotalEventsSavedInPast30Min" output=TotalEventsSavedInPast30Min |spath input=_raw path="workers{}.TotalEventsApprovedInPast30Min" output=TotalEventsApprovedInPast30Min |spath input=_raw path="workers{}.IsLogged" output=IsLogged | table active_shift_name worker_name worker_id CurrentRoleInShift TimeFromLastEventSaved TimeFromLastEventApproved IsLogged
Can you please help ?
Thank you!
Amit
... View more