I have this sample log and I want retrieve all values of a certain field and concatenate them on the log insight result. I tried to parse this but it can only retrieve its first occurrence.
Sample Log:
Field Value
@message {"level":"INFO","message":"Event","timestamp":"2023-04-05T20:27:42.606Z","event":{"version":"0","time":"2023-04-05T20:27:41Z","resources":[""],"detail":{"Entries":[{"Code":"C25"},{"Code":"C27"}]}}}
@timestamp 1680726462608
event.detail.Entries.0.Code C25
event.detail.Entries.1.Code C27
event.time 2023-04-05T20:27:41Z
event.version 0
level INFO
message Event
timestamp 2023-04-05T20:27:42.606Z
What I want to achieve:
@timestamp code
2023-04-05T20:27:42.606Z C25,C27
What I tried:
filter message like /Event/
| parse @message '{"Code":"*"}' as code
| sort @timestamp desc
| limit 20
What I got:
@timestamp code
2023-04-05T20:27:42.606Z C25
The query cannot retrieve the code "C27". How can this be done?
