Hello @brutecat,
the bellow does the trick
| makeresults
| eval _raw="{
\"event\":
{
\"time\": \"2019-02-10T05:52:03\",
\"StatsMonitor\": {
\"time\": \"2019-02-10T05:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 26
}
},
\"action\":
{
\"StatsMonitor\": {
\"time\": \"2019-02-10T05:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 26
}
}
,
\"action\":
{
\"StatsMonitor\": {
\"time\": \"2019-01-10T06:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 52
}
}
}"
| spath
| rename event.time as time
| spath path=event
| rename event.StatsMonitor.* as *
| table time ActiveUsers
... View more