Hi I have json events that have an array with objects and i want to extract a property from it
Some pseudo search code
| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp
{-1} indexing does not seem to work in spath
| spath output=Results path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp
Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.
my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.
Is there a good way to do this?
,I got a json that with arrays in events.
I'd like to access a property of the last element in such array
| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp
but {-1} does not seem to work for indexing the last element
| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp
mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work
Is there a way to do this?
↧