I'm totally new to splunk, I have this JSON file already indexed:
{"EventType":2,"EventData":{"Values":[{"Status":1,"Name":"BOT1"},{"Status":0,"Name":"BOT2"},{"Status":0,"Name":"BOT3"},{"Status":1,"Name":"BOT4"}],"Subject":"Resource Online Status","Source":"Dashboard"}}
I need to create a table which contains the Values in separate columns like this:
ID STATUS RESOURCE
1 1 BOT1
2 0 BOT2
3 0 BOT3
4 1 BOT4
I'm trying the following:
index="main" resource online Status | table "EventData.Values{}.Name" "EventData.Values{}.Status" | sort -_time asc | head 1
But it gives me this:
ID EventData.Values{}.Name EventData.Values{}.Status
1 BOT1 BOT2 BOT3 BOT4 1 0 0 1
How can I combine the two columns to generate the desired format?
Thank you!
... View more