21 Oct 2024 03:45 PM
I would like to make a json from some log attributes. Is this possible?
Solved! Go to Solution.
21 Oct 2024 05:11 PM
Yes, if you can enumerate them. Let's assume you have following demo data:
You can build object (complex record) using record function:
Here is my query for easy reuse:
data json:"""[{"a":1,"b":"x"},{"a":2,"b":"y"}]"""
| fieldsAdd j = record(a,b)
| fieldsAdd js = toString(j)
I hope it helps
22 Oct 2024 07:11 AM
Hello @lucassilveira ,
can you mention sample log line to give you the proper transformation method?
22 Oct 2024 07:40 AM
In addition to what @krzysztof_hoja mentioned, you can use Key-Value Pairs (KVPs) as outlined in the documentation: Key-Value Pairs.
In a log processing rule, you can use the KVP operator to transform the necessary key-value pairs into JSON.
For example:
PARSE(content,"'[' JSONTIMESTAMP:timestamp '] ' KVP{'['[^[:]*:key ': ' DATA:value '] '}:kvp '[[' DATA:message ']]'")
|FIELDS_ADD(loglevel:kvp[LOGLEVEL])
21 Nov 2024 01:21 PM
Nice. I didn't know this feature.