Consider allowing input= to be a wildcarded field as well. All of the field(s) that match would be passed in as top-level keys.
So if you had a single event with fields like this:
| fields |
value |
| _raw |
.... |
| source |
... |
| rec.name |
Joe |
| rec.kids |
Janet |
|
Greg |
|
Bob |
| rec.age |
45 |
Could could run a command like so:
... | jmespath input=rec.* output=rec "{Name:name, Children:kids, Demographics:{age:to_number(age)}}"
And the output value for rec would looks something like:
{ "Name" : "Joe",
"Children" : [ "Janet", "Greg", "Bob" ],
"Demographics": { "age": 45 }
}If one of the rec.* fields already contains a JSON string, then the from_string() function can be used to convert and, if necessary, further manipulate the record.
BTW: I'm not even sure the syntax of the JMESPath example is legit. Good luck future self!
Consider allowing
input=to be a wildcarded field as well. All of the field(s) that match would be passed in as top-level keys.So if you had a single event with fields like this:
Could could run a command like so:
And the output value for
recwould looks something like:{ "Name" : "Joe", "Children" : [ "Janet", "Greg", "Bob" ], "Demographics": { "age": 45 } }If one of the
rec.*fields already contains a JSON string, then thefrom_string()function can be used to convert and, if necessary, further manipulate the record.BTW: I'm not even sure the syntax of the JMESPath example is legit. Good luck future self!