I have two columns per event I am trying to use. Well call these col1 and UknownRandomColumnName (urcn for short) .
The key of urcn changes from event to event and is unknown prior to search time, but the value of col1 will always be the key of urcn.
How can I use the value of col1 as a key for the data id like to output from urcn in a search. Example data for my events may look like in a table:
==============================
| col1 | urcn1 | urcn2 |
==============================
| urcn1 | Value_1| |
------------------------------
| urcn2 | | Value_2|
------------------------------
Here is an example sample of the events:
{
type: "fwagods",
fwagods: {
name:"someNameHere",
age:23
}
},
{
type: "zsaf",
zsaf: {
name:"someName2",
age:65
}
},
{
type: "smorflafaum",
smorflafaum: {
name:"SomeName3",
age:41
}
}
The query of the table inputs should produce:
Value_1
Value_2
The query of the event format inputs should produce:
name: someNameHere, age: 23
name: someName2, age: 65
name: SomeName3, age: 41
Hey I was able to solve this issue. We know the property names of the child values inside of the object we do not know the key for. With this in mind we are able to use the rex method and extract the values from the _raw field.
| rex field=_raw "name\":\s?\"?(?<new_name>.*?)\"?(,|})" | table new_name
would output
someNameHere
someName2
SomeName3
Credit and thanks to @PM 77-1 for helping me talk through this.