I have been banging my head against the wall for a while and would love some help. Imagine I have the two event logs and would like to create a table from them. The logs have a array value and I want the last item in that array and I want the `message` value. Additionally I want a top level from each event. So if I have the following two logs.
Event Log 1
{
"description": "My description",
"param.response.tracking": [
{
"message": "My message"
},
{
"message": "My other message"
}
]
}
Event Log 2
{
"description": "My description 1",
"param.response.tracking": [
{
"message": "My message 1"
},
{
"message": "My other message 1"
}
]
}
I want the resulting table
description, message
"My description", "My other message"
"My description 1", "My other message 1"
I came to this question which is very close to what I want https://answers.splunk.com/answers/769708/how-to-access-a-property-on-the-last-element-in-an-1.html , but it doesn't work
For me this would be
...
| spath output=result path=param.response.tracking{}
| eval res = mvindex(result,mvcount(result)-1)
| table description, res.message
Any help is appreciated.
↧