我有一个字段testing.name{}.nameParts.value,我正在尝试评估该字段并将该值拆分为3列:名字、中间名和姓氏
字段内的数据看起来是这样的
testing.name{}.nameParts: [
{
type: GivenName
value:John
}
{
type: GivenName
value: X
}
{
type: Surname
value: Doe
}
]
这是我的代码 - 但我无法让它工作,因为有效负载结构转置有点棘手 - 名字和中间名都在事件有效负载中表示为 GiveName
| spath input="testing.name{}.nameParts{}" output=names
| mvexpand names
| eval type = names.type, value = names.value
| eval firstname=if(type=="GivenName", value, null()), middlename=if(type=="GivenName" AND isnull(firstname), value, null()), surname=if(type=="Surname", value, null())
| stats values(firstname) as firstname, values(middlename) as middlename, values(surname) as surname
我也试过这个
| rex field=testing.name{}.nameParts{}.value "\btype:\s*(?<type>[^\s]+)\s*value:\s*(?<value>[^\s]+)"
| eval FirstName = if(type=="GivenName", value,null()), MiddleName = if(type=="GivenName", value,null()), Lastname = if(type=="Surname", value, null())
| stats values(GivenName) as FirstName, values(MiddleName) as MiddleName, values(LastName) as LastName
尝试在任何地方运行以下 SPL:
| makeresults
| eval _raw="
{
\"testing\": {
\"name\": [{
\"nameParts\": [{
\"type\": \"GivenName\",
\"value\": \"John David\"
}, {
\"type\": \"GivenName\",
\"value\": \"X Y\"
}, {
\"type\": \"Surname\",
\"value\": \"Doe\"
}
]
}
]
}
}
"
| spath input=_raw path=testing.name{}.nameParts{}.value output=firstname
| spath input=_raw path=testing.name{}.nameParts{}.type output=lastname
| eval zipNames=mvzip(firstname,lastname)
| mvexpand zipNames
| rex field=zipNames "^(?<Firstname>\w+)(?:\h+(?<Middlename>\w+))?,(?<Lastname>[^,]+)$"
| table Firstname Middlename Lastname