I have three types of data entries.
{
<Irrelevant field omitted>
"parameters": [
{
"LicenseNumber": "123456"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}
{
<Irrelevant field omitted>
"parameters": [
{
"Holder_Id": "654321"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}
{
<Irrelevant field omitted>
"parameters": [
{
"Name": "John Doe"
}
],
"eventTimestamp": "2023-05-09T15:23:57+0300",
}
I want to get stats how many by the field parameter field type as in Name:69, Holder_Id:42, LicenseNumber:76.
I thought I'd use eval to create a field by the existence of each parameters, but that doesn't work.
<base_query> | eval group_name = case(isnotnull('parameters{}.Name'), Name, isnotnull('parameters{}.HolderId'), HolderId, isnotnull('parameters{}.LicenseNumber'), LicenseNumber) | stats count by group_name
... View more