I'm currently trying to write a query that will let me separate the follow "browser" sections in this JSON array into separate events, preferably with the rest of the data in the output still being included.
The problem I'm running into at the moment is when I try to write a query for returning only the count for different versions of Chrome, in a situation where there is another browser present in the record, I'm getting "browser_version" field of the other browser being included as well.
An example of this query is:
index=security browser_family "browsers{}.browser_family"=Chrome*| spath "browsers{}.browser_version" | chart count by browsers{}.browser_version | sort browsers{}.browser_version`
{
"browsers": [{
"browser_family": "Chrome",
"browser_version": "51.0.2704.103",
"flash_version": "22.0.0.0",
"java_version": "uninstalled"
},
{
"browser_family": "Safari",
"browser_version": "9.1.1",
"flash_version": "uninstalled",
"java_version": "1.8.0.45",
"last_used": 1474483713
}],
"email": "ejennings@example.com",
"epkey": "EP18JX1A10AB102M2T2X",
"model": "",
"os_family": "Mac OS X",
"os_version": "10.11.5",
"type": "",
"username": "ejennings"
}
Any ideas of how I could accomplish this?
... View more