我想将用法播放器字段转换为带有以下格式的字符串:
电流输出:
info1 info2 UsagePerUser
===========================
val1 val2 {"user1":0.1,"user2":0.2}
---------------------------
val3 val4 {"user3":0.3,"user4":0.4}
既定的输出:
info1 info2 UsagePerUser
===========================
val1 val2 user1 10.0
user2 20.0
---------------------------
val3 val4 user3 30.0
user4 40.0
我目前正在使用的是我目前正在使用的splunk命令:
index="my_index" source="my_source"
| sort - _time
| dedup Path
| spath output=UsagePerUser path=UsagePerUser
| eval UsagePerUser = json(UsagePerUser)
| table info1, info2, UsagePerUser
this命令仅提取usageperuser sub-dnactary,但我需要将其转换为所需的字符串格式。 关于如何修改此命令以实现所需输出的任何建议或指导将不胜感激。
尝试这个地方的spl;在代码中找到说明:
| makeresults ```start mock data```
format=json
data="
[
{
\"info1\": \"val1\",
\"info2\": \"val2\",
\"UsagePerUser\": {
\"user1\": 0.1,
\"user2\": 0.2
}
},
{
\"info1\": \"val1\",
\"info2\": \"val2\",
\"UsagePerUser\": {
\"user3\": 0.3,
\"user4\": 0.4
}
}
]
"
```start your query```
| spath output=UsagePerUser path=UsagePerUser
| eval UsagePerUser = json(UsagePerUser)
| table info1, info2, UsagePerUser
```end your query```
```extract usernames (un) and usage from json into multivalue fields```
| rex field=UsagePerUser max_match=100 "\"(?P<un>[^\"]+)\":(?P<usage>[\d.]+)"
| eval
````fix usage magnitude```
usage=mvmap(usage,usage*100),
```zip together usernaem and usage```
UsagePerUser=mvzip(un,usage," ")
| fields - un usage