FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log processing rule - for each item in json array split on ":" then create fields using split[0] as key and split[1] as value

Jack_Stuart
Helper

‎08 Aug 2023 06:02 PM

Hi,

I'm having a bit of trouble extracting data from a json array. Would you be able to assist me?

for example

content={

   "some_array" : [

        "key1:value1",

        "key2:value2"

   ]

}

Is there a way for me to process each item in content.some_array, split on ":" and then create fields with the first item of the split being the field name/key and the second item being the field value?

Labels:
0 Kudos
Reply
7 REPLIES 7

Fin_Ubels
Dynatrace Champion
Dynatrace Champion

‎09 Aug 2023 02:08 AM

Hey Jack,

Is this what you were looking for?

Fin_Ubels_0-1691543186628.png

data json:"""{"some_array":["key1:value1", "key2:value2"]}"""
| expand some_array
| fields some_array = splitString(some_array, ":")

Or were you looking for each record replacing "some_array" with "key1", "key2" etc and then each value being "value1", "value2" etc?

0 Kudos
Reply

Jack_Stuart
Helper
In response to Fin_Ubels

‎09 Aug 2023 10:39 AM

Hi Fin,

That's really helpful and it is on the way to what I'm trying to do. I've included an real example below followed by a view of what I'm trying to achieve. The expand has allowed me access to the array elements but assigning them as fields after the split is proving difficult, and I'm not sure how I'd reverse the expand back into a single row

Example:

data json:"""{"log.source": "thousandeyes-123456","level": "ALERT","dt.source_entity": "CUSTOM_DEVICE-B6DDABA85A5054AF","dt.source_entity_type": "CUSTOM_DEVICE","id": 859508901,"type": 2,"alert_state": 2,"alert_id": "some-alert-id","alert_rule_alertType.id": "WebTransaction","alert_severity": "INFO","alert_url": "app.thousandeyes.com/alerts/list/?__a=some-alert-id","alert_description": "*Alert ID*: some-alert-id\n*Test Name*: Dynatrace Heartbeat - dynatraceheartbeatevent.com\n*Target/s*: dynatraceheartbeatevent.com\n*Alert Rule*: Dynatrace-HEARTBEAT - Error is present\n*Details*: 2\n*Link*: app.thousandeyes.com/alerts/list/?__a=225896&alertId=some-alert-id","alert_test_name": "Dynatrace Heartbeat - dynatraceheartbeatevent.com","alert_test_labels": ["CMDB_APPID:AL08672","Location:Turkey","City:Istanbul"]}"""
| filter matchesValue(dt.source_entity, "CUSTOM_DEVICE-B6DDABA85A5054AF") AND matchesValue(log.source, "thousandeyes-123456")
| expand alert_test_labels
| fieldsAdd label=splitString(alert_test_labels, ":") // CMDB_APPID:AL012345
| fieldsAdd labelKey=arrayFirst(label)
| fieldsAdd labelValue=arrayLast(label)

Jack_Stuart_1-1691573910685.png

 



View of what I'm trying to achieve:

data json:"""{"log.source": "thousandeyes-123456","level": "ALERT","dt.source_entity": "CUSTOM_DEVICE-B6DDABA85A5054AF","dt.source_entity_type": "CUSTOM_DEVICE","id": 859508901,"type": 2,"alert_state": 2,"alert_id": "some-alert-id","alert_rule_alertType.id": "WebTransaction","alert_severity": "INFO","alert_url": "app.thousandeyes.com/alerts/list/?__a=some-alert-id","alert_description": "*Alert ID*: some-alert-id\n*Test Name*: Dynatrace Heartbeat - dynatraceheartbeatevent.com\n*Target/s*: dynatraceheartbeatevent.com\n*Alert Rule*: Dynatrace-HEARTBEAT - Error is present\n*Details*: 2\n*Link*: app.thousandeyes.com/alerts/list/?__a=225896&alertId=some-alert-id","alert_test_name": "Dynatrace Heartbeat - dynatraceheartbeatevent.com","alert_test_labels": ["CMDB_APPID:AL08672","Location:Turkey","City:Istanbul"]}"""
| filter matchesValue(dt.source_entity, "CUSTOM_DEVICE-B6DDABA85A5054AF") AND matchesValue(log.source, "thousandeyes-123456")
| fieldsAdd CMDB_APPID="AL08672"
| fieldsAdd Location="Turkey"
| fieldsAdd City="Istanbul"

Jack_Stuart_0-1691573725013.png

 

0 Kudos
Reply

Fin_Ubels
Dynatrace Champion
Dynatrace Champion
In response to Jack_Stuart

‎09 Aug 2023 11:06 PM

Hey Jack,

Unfortunately I haven't been able to figure it out, I'm not sure how we can do that unless the number and order of "alert_test_labels" are fixed in which case we could do:

| fieldsAdd CMDB_APPID=arrayLast(splitString(alert_test_labels[0], ":"))
| fieldsAdd Location=arrayLast(splitString(alert_test_labels[1], ":"))
| fieldsAdd City=arrayLast(splitString(alert_test_labels[2], ":"))
| fieldsRemove alert_test_labels

Thats a very static solution but I'm not sure how else we could do this sorry.

0 Kudos
Reply

sinisa_zubic
Dynatrace Champion
Dynatrace Champion
In response to Jack_Stuart

‎10 Aug 2023 09:14 AM

Hi @Jack_Stuart 

I would suggest that you convert the array to string and use DPL to parse the fields.

You can do this in a more declarative way:

data json:"""{"log.source": "thousandeyes-123456","level": "ALERT","dt.source_entity": "CUSTOM_DEVICE-B6DDABA85A5054AF","dt.source_entity_type": "CUSTOM_DEVICE","id": 859508901,"type": 2,"alert_state": 2,"alert_id": "some-alert-id","alert_rule_alertType.id": "WebTransaction","alert_severity": "INFO","alert_url": "app.thousandeyes.com/alerts/list/?__a=some-alert-id","alert_description": "*Alert ID*: some-alert-id\n*Test Name*: Dynatrace Heartbeat - dynatraceheartbeatevent.com\n*Target/s*: dynatraceheartbeatevent.com\n*Alert Rule*: Dynatrace-HEARTBEAT - Error is present\n*Details*: 2\n*Link*: app.thousandeyes.com/alerts/list/?__a=225896&alertId=some-alert-id","alert_test_name": "Dynatrace Heartbeat - dynatraceheartbeatevent.com","alert_test_labels": ["CMDB_APPID:AL08672","Location:Turkey","City:Istanbul"]}"""
| filter matchesValue(dt.source_entity, "CUSTOM_DEVICE-B6DDABA85A5054AF") AND matchesValue(log.source, "thousandeyes-123456")
| fieldsAdd helper = toString(alert_test_labels)
| parse helper, """LD 'CMDB_APPID:' LD:CMDB_APPID '"' """
| parse helper, """ LD 'Location:' LD:Location '"' """
| parse helper, """ LD 'City:' LD:City '"' """
| parse helper, """'[' KVP{'"' LD:key ':' LD:value '"' (', '|']')}:kvp"""
| fieldsRemove helper

or parsing with using KVP 

data json:"""{"log.source": "thousandeyes-123456","level": "ALERT","dt.source_entity": "CUSTOM_DEVICE-B6DDABA85A5054AF","dt.source_entity_type": "CUSTOM_DEVICE","id": 859508901,"type": 2,"alert_state": 2,"alert_id": "some-alert-id","alert_rule_alertType.id": "WebTransaction","alert_severity": "INFO","alert_url": "app.thousandeyes.com/alerts/list/?__a=some-alert-id","alert_description": "*Alert ID*: some-alert-id\n*Test Name*: Dynatrace Heartbeat - dynatraceheartbeatevent.com\n*Target/s*: dynatraceheartbeatevent.com\n*Alert Rule*: Dynatrace-HEARTBEAT - Error is present\n*Details*: 2\n*Link*: app.thousandeyes.com/alerts/list/?__a=225896&alertId=some-alert-id","alert_test_name": "Dynatrace Heartbeat - dynatraceheartbeatevent.com","alert_test_labels": ["CMDB_APPID:AL08672","Location:Turkey","City:Istanbul"]}"""
| filter matchesValue(dt.source_entity, "CUSTOM_DEVICE-B6DDABA85A5054AF") AND matchesValue(log.source, "thousandeyes-123456")
| fieldsAdd helper = toString(alert_test_labels)
| parse helper, """'[' KVP{'"' LD:key ':' LD:value '"' (', '|']')}:kvp"""
| fieldsAdd City = kvp[City], Location = kvp[Location], CMDB_APPID = kvp[CMDB_APPID]
| fieldsRemove helper

Best,
Sini

0 Kudos
Reply

Jack_Stuart
Helper

‎14 Aug 2023 01:03 PM

Thanks for you help but to get around my problem I have decided to forward the data as events and trigger a workflow to process the JSON using a type script step. The problem is that the label values are dynamic so I can't add them as a kvp and access the label value without knowing the key up front

0 Kudos
Reply

peter_zahrer
Dynatrace Champion
Dynatrace Champion
In response to Jack_Stuart

‎30 Oct 2023 04:25 PM

Maybe this presents a way forward using the fieldsFlatten command:

data json:"""{"log.source": "thousandeyes-123456","level": "ALERT","dt.source_entity": "CUSTOM_DEVICE-B6DDABA85A5054AF","dt.source_entity_type": "CUSTOM_DEVICE","id": 859508901,"type": 2,"alert_state": 2,"alert_id": "some-alert-id","alert_rule_alertType.id": "WebTransaction","alert_severity": "INFO","alert_url": "app.thousandeyes.com/alerts/list/?__a=some-alert-id","alert_description": "*Alert ID*: some-alert-id\n*Test Name*: Dynatrace Heartbeat - dynatraceheartbeatevent.com\n*Target/s*: dynatraceheartbeatevent.com\n*Alert Rule*: Dynatrace-HEARTBEAT - Error is present\n*Details*: 2\n*Link*: app.thousandeyes.com/alerts/list/?__a=225896&alertId=some-alert-id","alert_test_name": "Dynatrace Heartbeat - dynatraceheartbeatevent.com","alert_test_labels": ["CMDB_APPID:AL08672","Location:Turkey","City:Istanbul"]}"""
| filter matchesValue(dt.source_entity, "CUSTOM_DEVICE-B6DDABA85A5054AF") AND matchesValue(log.source, "thousandeyes-123456")
| fieldsAdd helper = toString(alert_test_labels)
| parse helper, """'[' KVP{'"' LD:key ':' LD:value '"' (', '|']')}:kvp"""
| fieldsFlatten kvp

 

0 Kudos
Reply

mosharref_hossn
Observer
In response to peter_zahrer

‎11 Dec 2023 03:34 PM

@peter_zahrer 

I'm currently facing similar issue with dynamic key value pairs. The Log Processor Rule can parse the data using KVP parsing and store the data into an array. However, I want to extract those key:value into fields (key) so they can be used in DQL search or data explorer. 

However, the "fieldsFlatten" command is not supported in the Log processor definition (i.e. DPL). It works in Notebook DLP Architect, but not in the rule definition. 

Any other solution available?

mosharref_hossn_0-1702308848127.png

 

0 Kudos
Reply
Ask a question

Featured Posts