我有一个JSON输入颠簸转换
[
{
"System": {
"Provider": {
"Name": "Microsoft-Windows-Eventlog",
"Guid": "{sdada}"
}
},
"EventID": "3434",
"EventData": {
"SubjectUserSid": "3455",
"SubjectUserName": "abc",
"SubjectDomainName": "def",
"SubjectLogonId": "e4545",
"ObjectServer": "dggg",
"ObjectType": "eet"
}
},
{
"System": {
"Provider": {
"Name": "Microsoft-Windows-Eventlog",
"Guid": "{sdada1}"
},
"EventID": "3435"
}
}
]
您可以看到事件数据出现在数组的第一个JSON中,但没有出现在第二个JSON对象中
我想要的输出是:
[
{
"winlog": {
"provider_name": "Microsoft-Windows-Eventlog",
"provider_guid": "{sdada}",
"EventID": "3434",
"event_data": {
"SubjectUserSid": "3455",
"SubjectUserName": "abc",
"SubjectDomainName": "def",
"SubjectLogonId": "e4545",
"ObjectServer": "dggg",
"ObjectType": "eet"
}
}
},
{
"winlog": {
"provider_name": "Microsoft-Windows-Eventlog",
"provider_guid": "{sdada1}",
"EventID": "3435",
"event_data": {
"SubjectUserSid": null,
"SubjectUserName": null,
"SubjectDomainName": null,
"SubjectLogonId": null,
"ObjectServer": null,
"ObjectType": null
}
}
}
]
我想在两个对象中事件数据键,第二个对象的值为null
[
{
"operation": "shift",
"spec": {
"*": {
"System": {
"Provider": {
"Name": "[&3].winlog.provider_name",
"Guid": "[&3].winlog.provider_guid"
}
},
"EventData": "[&1].winlog.event_data"
}
}
}]
我的输出是
[ {
"winlog" : {
"provider_name" : "Microsoft-Windows-Eventlog",
"provider_guid" : "{sdada}",
"event_data" : {
"SubjectUserSid" : "3455",
"SubjectUserName" : "abc",
"SubjectDomainName" : "def",
"SubjectLogonId" : "e4545",
"ObjectServer" : "dggg",
"ObjectType" : "eet"
}
}
}, {
"winlog" : {
"provider_name" : "Microsoft-Windows-Eventlog",
"provider_guid" : "{sdada1}"
}
} ]
简而言之,如何总结每个数组JSON的键
答案 0 :(得分:0)
首先,您可以将默认值放入树中,如下所示:
{
"operation": "modify-default-beta",
"spec": {
"*": {
"EventData": {
"SubjectUserSid": null,
"SubjectUserName": null,
"SubjectDomainName": null,
"SubjectLogonId": null,
"ObjectServer": null,
"ObjectType": null
}
}
}
}