Here is the source data:
{
"contextValues": [
"10.1.1.1",
"10",
"testhost"
],
"contextTypes": [
"IP",
"threshold",
"hostname"
],
"message": "Latency on {hostname} with IP {IP} is higher than {threshold} ms."
}
I need a query to fill out messages. Items in braces in messages need to match contextType, to determine index and to retrieve contextValue on the same index. There could be zero to 10 items in braces and you cannot guarantee the order/index for specific contextTypes as they change.
I've played around with spath to grab data and multi-value fields. I can figure out how to get the data from contextVales at the same index as a matching search from contextTypes, but I'm failing around the multiple replace. I can do the first replace, but not all the others.
My next thought was to use regex to find the first occurrence and do the mvfind on index 0 of msgfield match, then a regex for 2nd match, etc. But, I can't figure how to do that w/ regex. The replace in the search below does not work correctly (replaces all items in braces w/ same value).
There's gotta be a simpler way. I just need the messages field filled out w/ replaced values.
| spath output=msg path=message | spath output=cType path=contextTypes{} | spath output=cVal path=contextValues{} | rex max_match=25 field=msg "{(?<msgfield>.+?)}" | eval val=mvindex(cVal,mvfind(cType,mvindex(msgfield,0))) | eval msg=replace (msg,"{.*?}",mvindex(cVal,mvfind(cType,mvindex(msgfield,0)))) | table msgfield, message, msg, val
... View more