I have json data like this
{
"default": 3
"payload": { "a": 1, "b": 4 }
}
The keys in my payload object differ for different usecases and I want to lift all the key-value pairs in the payload property to top level.
I.e I don't want to query 'payload.a' but simply 'a'.
With a fixed set of keys I could do this transformation in props.conf but as I said the keys of the payload object vary.
Is it possible to lift the contents of a nested object?
"spath output=$MAGIC path=payload.$MAGIC"
The best of what I can think at the moment is a (python) custom command, which does the trick, but you know ...
Sure there is a better way?!
PS: We are on splunk 6.4
↧