将嵌套的json转换为splunk

问题描述 投票:0回答:1

我想将用法播放器字段转换为带有以下格式的字符串:

电流输出:

info1 info2 UsagePerUser =========================== val1 val2 {"user1":0.1,"user2":0.2} --------------------------- val3 val4 {"user3":0.3,"user4":0.4}

既定的输出:

info1  info2  UsagePerUser
===========================
val1   val2   user1    10.0
              user2    20.0
---------------------------
val3   val4   user3    30.0
              user4    40.0
我目前正在使用的是我目前正在使用的splunk命令:

index="my_index" source="my_source" | sort - _time | dedup Path | spath output=UsagePerUser path=UsagePerUser | eval UsagePerUser = json(UsagePerUser) | table info1, info2, UsagePerUser
this命令仅提取usageperuser sub-dnactary,但我需要将其转换为所需的字符串格式。
关于如何修改此命令以实现所需输出的任何建议或指导将不胜感激。
    

尝试这个地方的spl;在代码中找到说明:
| makeresults ```start mock data```
    format=json 
    data="
        [
{
  \"info1\": \"val1\",
  \"info2\": \"val2\",
  \"UsagePerUser\": {
    \"user1\": 0.1,
    \"user2\": 0.2
  }
},
{
  \"info1\": \"val1\",
  \"info2\": \"val2\",
  \"UsagePerUser\": {
    \"user3\": 0.3,
    \"user4\": 0.4
  }
}
        ]
    "
```start your query```
| spath output=UsagePerUser path=UsagePerUser
| eval UsagePerUser = json(UsagePerUser)
| table info1, info2, UsagePerUser
```end your query```
```extract usernames (un) and usage from json into multivalue fields```
| rex field=UsagePerUser max_match=100 "\"(?P<un>[^\"]+)\":(?P<usage>[\d.]+)"
| eval 
````fix usage magnitude```
    usage=mvmap(usage,usage*100),
```zip together usernaem and usage```
    UsagePerUser=mvzip(un,usage," ")
| fields - un usage

splunk splunk-query
1个回答
0
投票
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.