https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565453#M10051 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237962">@queryaslan</a>&nbsp;</P><P>Can you please try this?</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH |rex field=_raw "\"(?&lt;Users&gt;[^\"]+)\"\s*\:\s*(?&lt;Count&gt;\d+)" max_match=0 | eval t=mvzip(Users,Count) |stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*" | table Users Count</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"userDocuments\": {\"userA\":1836,\"userD\":1197,\"userB\":606,\"userZ\":108062,\"userE\":972,\"userC\":931}}" |rex field=_raw "\"(?&lt;Users&gt;[^\"]+)\"\s*\:\s*(?&lt;Count&gt;\d+)" max_match=0 | eval t=mvzip(Users,Count) |stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*" | table Users Count</LI-CODE><P>&nbsp;</P><P><BR />&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-09-01 at 3.31.11 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15799i145EB88606CEFB27/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2021-09-01 at 3.31.11 PM.png" alt="Screenshot 2021-09-01 at 3.31.11 PM.png" /></span></P><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp;&nbsp; <BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Wed, 01 Sep 2021 11:47:13 GMT kamlesh_vaghela 2021-09-01T11:47:13Z https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565443#M10050 <P><SPAN>Hi,<BR /><BR />I'm trying out the new Splunk dashboard and the goal is to plot users' database document count over time.<BR /></SPAN></P><P><SPAN><BR />The log contains a JSON map with the top 100 users with most documents.&nbsp; Since user doc-count differs over time the keys will also differ...<BR /><BR />"</SPAN><SPAN class="t">userDocuments</SPAN><SPAN>"</SPAN><SPAN class="t">:&nbsp;</SPAN><SPAN>{<BR />&nbsp; &nbsp;"userA</SPAN><SPAN>"</SPAN><SPAN class="t">:1836</SPAN><SPAN>,<BR />&nbsp; &nbsp;"</SPAN><SPAN class="t">userD</SPAN><SPAN>"</SPAN><SPAN class="t">:1197</SPAN><SPAN>,<BR /></SPAN><SPAN>&nbsp; &nbsp;"userB</SPAN><SPAN>"</SPAN><SPAN class="t">:606</SPAN><SPAN>,<BR />&nbsp; &nbsp;"userZ</SPAN><SPAN>"</SPAN><SPAN class="t">:108062</SPAN><SPAN>,<BR />&nbsp; &nbsp;"</SPAN><SPAN class="t">userE</SPAN><SPAN>"</SPAN><SPAN class="t">:972</SPAN><SPAN>,<BR />&nbsp; &nbsp;"userC</SPAN><SPAN>"</SPAN><SPAN class="t">:931<BR />&nbsp;</SPAN><SPAN>}<BR /><BR />I'm having a hard time creating a simple table like this</SPAN></P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">User</TD><TD width="50%" height="25px">Count</TD></TR><TR><TD width="50%" height="25px"><SPAN>userA</SPAN></TD><TD width="50%" height="25px"><SPAN class="t">1836</SPAN></TD></TR><TR><TD width="50%" height="25px"><SPAN><SPAN>user</SPAN></SPAN><SPAN><SPAN class="t">D</SPAN></SPAN></TD><TD width="50%" height="25px"><SPAN class="t">1197</SPAN></TD></TR><TR><TD width="50%" height="25px"><SPAN><SPAN>user</SPAN></SPAN><SPAN>B</SPAN></TD><TD width="50%" height="25px"><SPAN class="t">606</SPAN></TD></TR><TR><TD width="50%" height="25px"><SPAN><SPAN>user</SPAN></SPAN><SPAN>Z</SPAN></TD><TD width="50%" height="25px"><SPAN class="t">108062</SPAN></TD></TR><TR><TD width="50%" height="25px"><SPAN><SPAN>user</SPAN></SPAN><SPAN><SPAN class="t">E</SPAN></SPAN></TD><TD width="50%" height="25px"><SPAN class="t">972</SPAN></TD></TR><TR><TD width="50%" height="25px"><SPAN><SPAN>user</SPAN></SPAN><SPAN>C</SPAN></TD><TD width="50%" height="25px"><SPAN class="t">931</SPAN></TD></TR></TBODY></TABLE><P><SPAN><BR /><BR />Any input for a query/changing data structure?<BR /></SPAN></P> Wed, 01 Sep 2021 09:18:33 GMT https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565443#M10050 queryaslan 2021-09-01T09:18:33Z https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565453#M10051 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237962">@queryaslan</a>&nbsp;</P><P>Can you please try this?</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH |rex field=_raw "\"(?&lt;Users&gt;[^\"]+)\"\s*\:\s*(?&lt;Count&gt;\d+)" max_match=0 | eval t=mvzip(Users,Count) |stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*" | table Users Count</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"userDocuments\": {\"userA\":1836,\"userD\":1197,\"userB\":606,\"userZ\":108062,\"userE\":972,\"userC\":931}}" |rex field=_raw "\"(?&lt;Users&gt;[^\"]+)\"\s*\:\s*(?&lt;Count&gt;\d+)" max_match=0 | eval t=mvzip(Users,Count) |stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*" | table Users Count</LI-CODE><P>&nbsp;</P><P><BR />&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-09-01 at 3.31.11 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15799i145EB88606CEFB27/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2021-09-01 at 3.31.11 PM.png" alt="Screenshot 2021-09-01 at 3.31.11 PM.png" /></span></P><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp;&nbsp; <BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Wed, 01 Sep 2021 11:47:13 GMT https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565453#M10051 kamlesh_vaghela 2021-09-01T11:47:13Z https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565472#M10052 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp; Thank you! The only problem I have is that have another map in the log so it will parse values from the map into the table. But I guess i could solve the by looking for "user" as a prefix in the regex or if you have a smarter solution?<BR /><BR /></P> Wed, 01 Sep 2021 11:39:48 GMT https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565472#M10052 queryaslan 2021-09-01T11:39:48Z https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565475#M10053 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237962">@queryaslan</a>&nbsp;</P><P>Just add&nbsp;</P><LI-CODE lang="markup">| search Users="user*" </LI-CODE><P>&nbsp;</P><P>Please check my updated answer.</P><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp;&nbsp;<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.&nbsp;</P> Wed, 01 Sep 2021 11:47:54 GMT https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/565475#M10053 kamlesh_vaghela 2021-09-01T11:47:54Z https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/566020#M10054 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;sorry for bothering you but how would you add a timestamp column for the table?<BR /><BR /></P><LI-CODE lang="markup">| rex field=_raw "\"(?&lt;Users&gt;[^\"]+)\"\s*\:\s*(?&lt;Count&gt;\d+)" max_match=0 | eval t=mvzip(Users,Count) | stats count by t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | eval time=0 | foreach User [eval time=_time]| table Users Count total _time | sort by -Count</LI-CODE> Mon, 06 Sep 2021 14:03:05 GMT https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/566020#M10054 queryaslan 2021-09-06T14:03:05Z https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/566056#M10055 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237962">@queryaslan</a>&nbsp;</P><P>try this.</P><LI-CODE lang="markup">|rex field=_raw "\"(?&lt;Users&gt;[^\"]+)\"\s*\:\s*(?&lt;Count&gt;\d+)" max_match=0 | eval t=mvzip(Users,Count) |mvexpand t | eval Users=mvindex(split(t,","),0),Count=mvindex(split(t,","),1) | search Users="user*" | table _time Users Count</LI-CODE><P>&nbsp;</P><P>KV&nbsp;</P> Tue, 07 Sep 2021 04:27:26 GMT https://community.splunk.com/t5/Splunk-Dev/Converting-json-map-into-table/m-p/566056#M10055 kamlesh_vaghela 2021-09-07T04:27:26Z