SplunkProcess JSON并将JSON字段转换为列和值

问题描述 投票:0回答:1

我需要将数据转换为以下表中的表,其中每个度量都需要是我的列名,每个相应的值都需要是我的数据字段

我尝试了一些东西,它不起作用 enter image description hereindex=sonar_dev sourcetype="sonarqube:branch:metrics" |rename measures.component.name as ProjectName |rename branch as Branchname |rename qualityGateStatus as QualityGate_Status |spath |rename measures.metrics{}.name as Metrics |stats values(Branchname) by Metrics |transpose

我出于好奇而做了这一点,但是下次请提供一个工作的JSON,因为纠正格式花费了一半的时间。

说,这是一个无处不在的spl,带有内联评论:

| makeresults ```start mock data```
    format=json 
    data="
        [
{
\"branch\": \"test\",
\"measures\": {
    \"component\": {
        \"key\": \"XXXXXXX\",
        \"measures\": [{
                \"metric\": \"alert_status\",
                \"value\": \"ERROR\"
            },{
                \"bestValue\": \"false\",
                \"metric\": \"sqale_index\",
                \"value\": 4652
            },{
                \"metric\": \"new_maintainability_rating\",
                \"period\": {
                    \"bestValue\": \"true\",
                    \"index\": 1,
                    \"value\": 1.0
                }
            },{
                \"bestValue\": \"false\",
                \"metric\": \"reliability_rating\",
                \"value\": 5.0
            },{
                \"metric\": \"new_security_review_rating\",
                \"period\": {
                    \"bestValue\": \"true\",
                    \"index\": 1,
                    \"value\": 1.0
                }
            },{
                \"metric\": \"new_bugs\",
                \"period\": {
                    \"bestValue\": \"false\",
                    \"index\": 1,
                    \"value\": 3
                }
            },{
                \"bestValue\": \"false\",
                \"metric\": \"duplicated_lines_density\",
                \"value\": 49.7
            },{
                \"metric\": \"new_security_rating\",
                \"period\": {
                    \"bestValue\": \"true\",
                    \"index\": 1,
                    \"value\": 1.0
                }
            },{
                \"metric\": \"new_code_smells\",
                \"period\": {
                    \"bestValue\": \"false\",
                    \"index\": 1,
                    \"value\": 63
                }
            }
        ]

    }
}
}
        ]
    "
```extract key field```
| spath output=key path=measures.component.key
```extract the metric field to a multivalue field```
| spath output=metric path=measures.component.measures{}.metric
```extract the measures array```
| spath output=Array path=measures.component.measures{}
```use regex to extract the value fields from the nestes array```
| rex field=Array max_match=100 "\"value\":\"?(?P<value>[\w.]+)\"?"
| fields - _raw Array measures
```concatinate the two multivalue fields so they "stay in sync" after expansion```
| eval zip=mvzip(metric,value,"####")
| mvexpand zip
| rex field=zip "^(?P<metric>[^#]+)####(?P<value>[^#]+)$"
```create new variables from metric field```
| eval {metric}=value
| fields - metric value zip
```get all into a single row```
| filldown
| tail 1

splunk splunk-query splunk-formula splunk-calculation
1个回答
0
投票

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.