Hello,
I have the following example json data:
spec: {
field1: X,
field2: Y,
field3: Z,
containers: [
{
name: A
privileged: true
},
{
name: B
},
{
name: C
privileged: true
}
]
}
I'm trying to write a query that only returns privileged containers. I've been trying to use mvfilter but that won't return the name of the container. Here's what I was trying to do:
index=MyIndex spec.containers{}.privileged=true
| eval priv_containers=mvfilter(match('spec.containers{}.privileged',"true"))
| stats values(priv_containers) count by field1, field2, field3
This will, however, just return "true" in the priv_containers values column, instead of the container's name. What would be the best way to accomplish that?
... View more