Hi guys,
I have a problem. Every time I try to run the following search, the result is duplicated in each line, but the date and time. What can be? My log is in format JSON.
index="my_index" source="my_source" sourcetype="my_sourcetype"
| rename field1 , field2, field3, ....
| eval Date = strftime(_time, "%d-%m-%Y")
| eval Hour = strftime(_time, "%H-%M-%S")
| spath output=Rules path=field.sub-field{}.code
| table Date, Hour, field1 , field2, field3, ....
![alt text][1]
[1]: /storage/temp/73281-splunk-register-duplicated.png
↧