Here is a reduced version of my JSON:
{ records: [ { errors: 4 name: name1 plugin: p1 type: type1 } { errors: 7 name: name2 plugin: p1 type: type2 } { errors: 0 name: name3 plugin: p2 type: type3 } ] session: { document: my_doc user: me version: 7.1 } }
There are 3 records in records{} so I expect to get 3 events using mvexpand, but I get 6 events. I'm using a similar query I've found in an answer in this community:
| spath
| rename records{}.name AS name, records{}.type AS type, records{}.plugin as plugin, records{}.errors as errors
| eval x=mvzip(mvzip(mvzip(name,type),plugin),errors)
| mvexpand x
| eval x=split(x,",")
| eval name=mvindex(x,0)
| eval type=mvindex(x,1)
| eval plugin=mvindex(x,2)
| eval errors=mvindex(x,3)
| table name, type, plugin, errors
I get 6 rows instead of 3:
name
type
plugin
errors
name1
type1
p1
4
name2
type2
p1
7
name3
type3
p2
0
name1
type1
p1
4
name2
type2
p1
7
name3
type3
p2
0
Any suggestion how to fix the query to avoid the duplication? Thanks!
... View more