Lets say I have the following json data onboarded.
{
"slaves": [{
"id": "1234",
"hostname": "12556"
},
{
"id": "1245",
"hostname": "1266"
}]
"masters": [{
"id": "2234",
"hostname": "22556"
},
{
"id": "2245",
"hostname": "2266"
}]
}
The result that I want is that for each slave I get an event with sourcetype indexnamex:slave and for each master I want to put each event in sourcetype indexnamex:master
So in indexnamex:slave I want 2 events
indexnamex:slave **Event1**
> {"id": "1234","hostname": "12556" }
indexnamex:slave **Event2**
> { "id": "1245", "hostname": "1266" }
And in indexnamex:master also two events
indexnamex:master **Event 1**
> { "id": "2234", "hostname": "22556" }
indexnamex:master **Event 2**
> { "id": "2245", "hostname": "2266" }
I can not split on e.g. hostname x } as it is the same for slaves and masters.
Is it possible to do splitting in multiple steps?
e.g. first split on "slaves" : and "masters":
and after that split do a split on what is left?
If not are there any other options?
note: the example is simpler than my real data as it is 10k lines.
↧