I am trying following query
| makeresults | eval _raw="{\"records\":[{\"Name\":\"name\"},{\"Name\":\"worst_food\",\"Value\":\"salad\"},{\"Name\":\"ex-wife\",\"Value\":\"Tammy\"}]}" | spath
this returns table as like below in Splunk.
records{}.name records().value
name salad
worst_food Tammy
ex-wife
But i am expecting value as like
records{}.name records().value
name
worst_food salad
ex-wife Tammy
Anyone experienced this issue? could you please share some knowledge that how to derive expected result.
@Dhana
Can you please try this?
| makeresults
| eval _raw="{\"records\":[{\"Name\":\"name\"},{\"Name\":\"worst_food\",\"Value\":\"salad\"},{\"Name\":\"ex-wife\",\"Value\":\"Tammy\"}]}"
| spath path=records{} output=records | mvexpand records | rename records as _raw | kv | table Name Value
Thanks