https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/509996#M2712 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223785">@galsegal</a>&nbsp;Is this what you're after ?<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval _raw="{ \"Features\": [ { \"anomaly\": false, \"id\" : 25, \"name\" : \"service\" }, { \"anomaly\": true, \"id\" : 23, \"name\" : \"location\" }, { \"anomaly\": false, \"id\" : 24, \"name\" : \"ip\" }, { \"anomaly\": false, \"id\" : 27, \"name\" : \"time\" } ] }" | rename COMMENT AS "The code below is what is needed. First extract each value from the tree, than we group and split them based on how they are related." | spath path="Features{}.anomaly" output=anomaly | spath path="Features{}.id" output=id | spath path="Features{}.name" output=name | eval x = mvzip(mvzip(id, anomaly, "\n"), name, "\n") | mvexpand x | eval x=split(x,"\n") | eval ID = mvindex(x, 0) | eval Name = mvindex(x, 1) | eval Anomaly = mvindex(x, 2) | stats values(Name) as Name values(Anomaly) as Anomaly by ID</LI-CODE> Mon, 20 Jul 2020 09:20:59 GMT anmolpatel 2020-07-20T09:20:59Z https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/509990#M2710 <P>Hey All,</P><P>&nbsp;</P><P>What I'm trying to do is to build a search query that correlates between fields like in the below example:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="galsegal_0-1595233816225.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9781i13A4A00FF35D80FA/image-size/medium?v=v2&amp;px=400" role="button" title="galsegal_0-1595233816225.png" alt="galsegal_0-1595233816225.png" /></span></P><P>I need that where message.anomaly.features{}.anomaly has a true value, then to output a new field with the corresponding fields below - 23, location (Even only one of them is good for me)</P><P>&nbsp;</P><P>How can I accomplish that?</P><P>&nbsp;</P><P>Thank you,</P> Mon, 20 Jul 2020 08:32:03 GMT https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/509990#M2710 galsegal 2020-07-20T08:32:03Z https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/509996#M2712 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223785">@galsegal</a>&nbsp;Is this what you're after ?<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval _raw="{ \"Features\": [ { \"anomaly\": false, \"id\" : 25, \"name\" : \"service\" }, { \"anomaly\": true, \"id\" : 23, \"name\" : \"location\" }, { \"anomaly\": false, \"id\" : 24, \"name\" : \"ip\" }, { \"anomaly\": false, \"id\" : 27, \"name\" : \"time\" } ] }" | rename COMMENT AS "The code below is what is needed. First extract each value from the tree, than we group and split them based on how they are related." | spath path="Features{}.anomaly" output=anomaly | spath path="Features{}.id" output=id | spath path="Features{}.name" output=name | eval x = mvzip(mvzip(id, anomaly, "\n"), name, "\n") | mvexpand x | eval x=split(x,"\n") | eval ID = mvindex(x, 0) | eval Name = mvindex(x, 1) | eval Anomaly = mvindex(x, 2) | stats values(Name) as Name values(Anomaly) as Anomaly by ID</LI-CODE> Mon, 20 Jul 2020 09:20:59 GMT https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/509996#M2712 anmolpatel 2020-07-20T09:20:59Z https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/510012#M2715 <P>This was not 100% the solution but it indeed got me there <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Thank you very much, sir.</P> Mon, 20 Jul 2020 10:16:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/Correlation-of-2-fields-within-json-array/m-p/510012#M2715 galsegal 2020-07-20T10:16:44Z