I wrote below query to get the data and display in my dashboard. And I am getting results with correct data + getting additional data too.
Here is the query:
index=tap-prod sourcetype=prod jobId=e62-71c72ccb3aec diff
| rex field=_raw "\"diff\":(?.*)}+"
| spath input=message
| extract kvdelim=":" pairdelim="," message
| table fieldName path expValue actValue
Here is the data I am parsing:
{
"tapName": "tapData",
"tapUuid": "22015f427a12",
"diff": {
"actValue": "tap_actualValue",
"address": ".@gmail.com",
"diffType": "SAMPLE_DIFFERENCE",
"expValue": "tap_expectedValue",
"fieldName": "Sample",
"fullPath": "/http://www.gmail.com/file",
"path": "/send"
}
}
While executing above query I am getting below results which is incorrect:
Results
(fieldName) ( path ) (expValue) (actValue) (address)
address":.@gmail.com" expValue":"tap_expectedValue actValue":"tap_actualValue testName":"someOtherVal `Sample` `/send` `tap_expectedValue` `tap_actualValue`
... View more