I have some log look like
{
"ExtendedProperties": [
{
"Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393",
"Name": "UserAgent"
},
{
"Value": "65",
"Name": "UserAuthenticationMethod"
},
{
"Value": "OAuth2:Authorize",
"Name": "RequestType"
},
{
"Value": "Success",
"Name": "ResultStatusDetail"
},
{
"Value": "False",
"Name": "KeepMeSignedIn"
}
]
}
I used split filter like this
if [o365-azure] {
split {
field => "[o365][ExtendedProperties]"
}
}
But i got data one of element in array only llike this
"ExtendedProperties": {
"Value": "Success",
"Name": "ResultStatusDetail"
}
I want data after filter success look like
"ExtendedProperties": {
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393",
"UserAuthenticationMethod": "65",
"RequestType": "OAuth2:Authorize",
"ResultStatusDetail": "Success",
"KeepMeSignedIn": "False"
}
How can do it? Thanks !