Data table of last event for property that contains objects in an array

raged · May 10, 2019, 11:53am

Hello,

I am trying to format the following event into a data table that just shows me the last data point (top hit) of a property that contains several objects in one property that is an array.

Here is the JSON:

  "Win32_quickfixengineering": [
    {
      "HotFixID": "KB4489192",
      "InstalledOn": "4/12/2019",
      "InstalledBy": "NT AUTHORITY\\SYSTEM",
      "Description": "Update"
    },
    {
      "HotFixID": "KB4480056",
      "InstalledOn": "4/22/2019",
      "InstalledBy": "NT AUTHORITY\\SYSTEM",
      "Description": "Update"
    },
    {
      "HotFixID": "KB4493478",
      "InstalledOn": "4/12/2019",
      "InstalledBy": "NT AUTHORITY\\SYSTEM",
      "Description": "Security Update"
    },
    {
      "HotFixID": "KB4493510",
      "InstalledOn": "4/12/2019",
      "InstalledBy": "NT AUTHORITY\\SYSTEM",
      "Description": "Security Update"
    },
    {
      "HotFixID": "KB4493509",
      "InstalledOn": "4/12/2019",
      "InstalledBy": "NT AUTHORITY\\SYSTEM",
      "Description": "Security Update"
    }
  ]
},

I have tried several things, but I can't quite get it right:

I want to mimic this data table:

OUTLOOK_oSEsKNaNNJ

Can someone please help?

Thanks

thomasneirynck · May 13, 2019, 7:16pm

I'm not sure if this is possible.

Is it possible to reindex this data so that each individual element in that array is an actual individual document?

raged · May 13, 2019, 8:06pm

Are you saying if I post this data 5 separate times to logstash I would be able to show that data like it is presented in the black box above?

thomasneirynck · May 13, 2019, 8:08pm

Yes, it would just be a saved-search then https://github.com/elastic/kibana/issues/4707

system · June 10, 2019, 8:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.