To simplify things, I will just follow your initial clue and assume that ID and Name are also part of event.ResourceAttributes. index=test field1=* field2=*
| spath input=field3
| foreach "event.ResourceAttributes.Name", "event.ResourceAttributes.Resource Name", "event.ResourceAttributes.ID" [
| eval type=mvappend(type, if(isnotnull('<<FIELD>>'), '<<FIELD>>', null())) ]
| stats values(type) as "Additional Details" by event.AccountId event.CloudPlatform event.CloudService If they are in some other nodes, just rewrite the foreach list. Here is a fuller emulation that I made up based on your singular mock data point. | makeresults
| eval field3 = mvappend("{\"event\": {
\"AccountId\": \"xxxxxxxxxx2\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"key1\": \"value1\", \"ID\": \"value2\", \"key3\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"Resource Name\": \"name-resource-121sg6fe\", \"etc\": \"etc\"}
}
}" ``` has ID, Resource Name, no Name ```,
"{\"event\": {
\"AccountId\": \"xxxxxxxxxx1\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"key1\": \"value1\", \"key2\": \"value2\", \"key3\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"Resource Name\": \"name-resource-121sg6fe\", \"etc\": \"etc\"}
}
}" ``` has Resource Name, no others ```,
"{\"event\": {
\"AccountId\": \"xxxxxxxxxx2\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"Name\": \"value1\", \"key2\": \"value2\", \"ID\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"etc\": \"etc\"}
}
}" ``` has ID, Name, no Resource Name ```,
"{\"event\": {
\"AccountId\": \"xxxxxxxxxx1\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"key1\": \"value1\", \"key2\": \"value2\", \"key3\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"etc\": \"etc\"}
}
}" ``` has none of the three ```)
| mvexpand field3
``` the above sort of emulates
index=test field1=* field2=*
```
| eval type = json_object()
| spath input=field3
| foreach "event.ResourceAttributes.Name", "event.ResourceAttributes.Resource Name", "event.ResourceAttributes.ID" [
| eval type=mvappend(type, if(isnotnull('<<FIELD>>'), '<<FIELD>>', null())) ]
| stats values(type) as "Additional Details" by event.AccountId event.CloudPlatform event.CloudService What this does is to add variations to which of "Name", "Resource Name", and "ID" do or do not appear in each event. You can play with it and compare with real data. The output is event.AccountId event.CloudPlatform event.CloudService Additional Details xxxxxxxxxx1 CloudProvider Service name-resource-121sg6fe {} xxxxxxxxxx2 CloudProvider Service name-resource-121sg6fe value1 value2 value3 {} One more suggestion: @bowesmana's idea is just to use foreach. The above format does not group the present or missing attributes in a very distinguishable manner. An alternative to using mvappend inside the foreach subsearch is to also carry the input keys in addition to values in "Additional Details". Using a JSON structure is one such method. index=test field1=* field2=*
| eval type = json_object()
| spath input=field3
| foreach "event.ResourceAttributes.Name", "event.ResourceAttributes.Resource Name", "event.ResourceAttributes.ID" [
| eval type=json_set(type, replace("<<FIELD>>", "event.ResourceAttributes.", ""), '<<FIELD>>') ]
| stats values(type) as "Additional Details" by event.AccountId event.CloudPlatform event.CloudService This is a full emulation: | makeresults
| eval field3 = mvappend("{\"event\": {
\"AccountId\": \"xxxxxxxxxx2\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"key1\": \"value1\", \"ID\": \"value2\", \"key3\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"Resource Name\": \"name-resource-121sg6fe\", \"etc\": \"etc\"}
}
}" ``` has ID, Resource Name, no Name ```,
"{\"event\": {
\"AccountId\": \"xxxxxxxxxx1\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"key1\": \"value1\", \"key2\": \"value2\", \"key3\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"Resource Name\": \"name-resource-121sg6fe\", \"etc\": \"etc\"}
}
}" ``` has Resource Name, no others ```,
"{\"event\": {
\"AccountId\": \"xxxxxxxxxx2\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"Name\": \"value1\", \"key2\": \"value2\", \"ID\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"etc\": \"etc\"}
}
}" ``` has ID, Name, no Resource Name ```,
"{\"event\": {
\"AccountId\": \"xxxxxxxxxx1\",
\"CloudPlatform\": \"CloudProvider\",
\"CloudService\": \"Service\",
\"ResourceAttributes\": {\"key1\": \"value1\", \"key2\": \"value2\", \"key3\": \"value3\", \"key4\": [{\"key\": \"value\", \"key\": \"value\"}], \"etc\": \"etc\"}
}
}" ``` has none of the three ```)
| mvexpand field3
``` the above sort of emulates
index=test field1=* field2=*
```
| eval type = json_object()
| spath input=field3
| foreach "event.ResourceAttributes.Name", "event.ResourceAttributes.Resource Name", "event.ResourceAttributes.ID" [
| eval type=json_set(type, replace("<<FIELD>>", "event.ResourceAttributes.", ""), '<<FIELD>>') ]
| stats values(type) as "Additional Details" by event.AccountId event.CloudPlatform event.CloudService And output from this emulation. event.AccountId event.CloudPlatform event.CloudService Additional Details xxxxxxxxxx1 CloudProvider Service {"Name":null,"Resource Name":"name-resource-121sg6fe","ID":null} {"Name":null,"Resource Name":null,"ID":null} xxxxxxxxxx2 CloudProvider Service {"Name":"value1","Resource Name":null,"ID":"value3"} {"Name":null,"Resource Name":"name-resource-121sg6fe","ID":"value2"}
... View more