I have some JSON output that is in key value structure (protobuf3 formatted--this is OTLP data going into Splunk Enterprise events) and it has multiple values in each field. There are multiple key value attributes stored under an attributes parent, and then its fields are under a metric parent. I want to take the host.name attribute and map it to every metrics value I see. Here is working example of the raw json: {
"resourceMetrics": [
{
"resource": {
"attributes": [
{
"key": "host.name",
"value": {
"stringValue": "myname1"
}
},
{
"key": "telemetry.sdk.name",
"value": {
"stringValue": "my_sdk"
}
}
]
},
"scopeMetrics": [
{
"metrics": [
{
"name": "hw.host.energy",
"gauge": {
"dataPoints": [
{
"timeUnixNano": "1712951030986039000",
"asDouble": 359
}
]
}
},
{
"name": "hw.host.power",
"gauge": {
"dataPoints": [
{
"timeUnixNano": "1712951030986039000",
"asDouble": 26
}
]
}
}
]
}
]
},
{
"resource": {
"attributes": [
{
"key": "host.name",
"value": {
"stringValue": "myname2"
}
},
{
"key": "telemetry.sdk.name",
"value": {
"stringValue": "my_sdk"
}
}
]
},
"scopeMetrics": [
{
"metrics": [
{
"name": "hw.host.energy",
"gauge": {
"dataPoints": [
{
"timeUnixNano": "1712951030987780000",
"asDouble": 211
}
]
}
}
]
}
]
}
]
} There may be multiple attributes, in various order, but I am only interested in grabbing the host.name value from there, and then associating host.name to all metrics under the metrics parent within the resource parent. The metrics parent may contain multiple metrics in the array. And then new resources (with new host.name and new metrics) would show up as the next resource entry in the resources array. So what I want is something like this in a row-based format of host.name.value > metric: host.name metric host.name,myname1 hw.host.energy,359 host.name,myname1 hw.host.power,26 host.name,myname2 hw.host.energy,211 The problem I am having is I don't want the other attributes from the attribute parent, which in the example is the telemetry.sdk.name key and value. But since they are there, I can't figure out how to zip and expand properly, as the telemetry.sdk.name value gets associated to legit metrics, looking something like below, which would mean if I drop row 2 I lose the power metric = 26 for myname1. Parsing some spaths, the structure looks something like this: attr_zip metric_zip host.name,myname1 hw.host.energy,359 telemetry.sdk.name,my_sdk hw.host.power,26 host.name,myname2 hw.host.energy,211 telemetry.sdk.name,my_sdk I looked at mvfilter but can't seem to find a way to handle a variable amount of attributes that may show up in the left column attr_zip, as it seems I ned to know how many values I fill down in the field, and I am not sure how to get a count of the values fro the right column metric_zip to know how many values down in attr_zip to fill. In JSON, all the metrics values share the same resource so I should logically be able to reference the parent resource.attribute.host.name.value, and concatenate that to every metric value. Here's my current SPL, where I can get the columns concatenated properly, but would need to drop the rows in attr_zip that don't match the key of host.name: | spath output=host_name path=resourceMetrics{}.resource.attributes{}
| mvexpand host_name
| spath output=attribute path=resourceMetrics{}.resource.attributes{}.key
| spath output=attribute_value path=resourceMetrics{}.resource.attributes{}.value.stringValue
| spath output=time resourceMetrics{}.scopeMetrics{}.metrics{}.gauge.dataPoints{}.timeUnixNano
| spath output=metric_name resourceMetrics{}.scopeMetrics{}.metrics{}.name
| spath output=metric_value resourceMetrics{}.scopeMetrics{}.metrics{}.gauge.dataPoints{}.asDouble
| eval attr_zip=mvzip(attribute, attribute_value)
| eval metric_zip=mvzip(metric_name, metric_value)
| table attribute,attribute_value, attr_zip, metric_zip Anyone able to offer some guidance?
... View more