Here is my set:
| makeresults
| eval _raw="[[\"A\",\"AA\"],[\"B\",\"BB\"],[\"C\",\"CC\"]]"
|spath path={}{} output=data
I would like to have 3 distinct tuple the A together and B together and C together, but i have all in one line with my request.
I can do something like
|spath path={0}{} output=data0
|spath path={1}{} output=data1
|spath path={2}{} output=data2
but i'm looking for something more dynamic :)
Any idea?
Assuming your data doesn't consist of any other JSON, you can use regular expressions to extract each entry and process it that way. Check this example.
| makeresults count=5
| eval random=random()
| eval _raw="[[\"A\",\"AA\"],[\"B\",\"BB\"],[\"C\",\"CC\"]]"
| rex max_match=0 field=_raw "(?<d>\[[^\[\]]+\])"
| mvexpand d
| streamstats count by random
| eval data_{count}=d
| fields _time, data_*, random
| stats values(_time) as _time, values(*) AS * by random
| fields - random
I added some extra complexity for the LOLs. The streamstats is used to get an incremental counter that is then used to create some new column names in the order of data_0, data_1, etc... A random number is generated at the start and included with the event, so you can join up all the split events at the end.
