https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149596#M30461 <P>Try something like this,</P> <PRE><CODE>&lt;your base search...&gt; | table timestamp, Date, Available | eval temp=mvzip(timestamp, mvzip(Date, Available,"###"), "###") | mvexpand temp | rex field=temp "(?&lt;timestamp&gt;.*)###(?&lt;Date&gt;.*)###(?&lt;Available&gt;.*)" | fields - temp </CODE></PRE> <P>I have used the sample fields, you can try with your actual fields. Concept here is, you need to zip it with a delimiter (here ###) and expand it and extract it. This do the magic </P> Mon, 22 Aug 2016 18:55:01 GMT vasanthmss 2016-08-22T18:55:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149593#M30458 <P>Right now I have a json file that's formatted like:</P> <PRE><CODE>{ "Log Files":[ {"Date":"2014-07-18 21:22:51", "Available Bytes(kb)":3960078, ...}, {"Date":"2014-07-18 21:24:01", "Available Bytes(kb)":4001231, ...}, {"Date":"2014-07-18 21:25:14", "Available Bytes(kb)":3872959, ...}]} </CODE></PRE> <P>Right now it's showing up in Splunk as:</P> <PRE><CODE>timestamp Date Available Bytes(kb) 2014-07-18 21:22:51:000 2014-07-18 21:22:51 3960078 2014-07-18 21:24:01 4001231 2014-07-18 21:25:14 3872959 </CODE></PRE> <P>How can I split these up into individual events when I load the data? I can get the timestamp to correctly match the Date field, but it will still only give one date for the whole file, even though there are several lines that are each individual logs.</P> Fri, 18 Jul 2014 22:29:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149593#M30458 dgutekunst 2014-07-18T22:29:07Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149594#M30459 <P>When you say "... when I load the data" do you mean at search time or index time?</P> Mon, 22 Aug 2016 02:31:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149594#M30459 pwmcintyre 2016-08-22T02:31:08Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149595#M30460 <P>Is there anything in the envelope of this array that you want to keep or are you just interested in keeping the events inside the "Log Files" array?<BR /> If the latter, setup props/transforms for your sourcetype to:</P> <UL> <LI>Get rid of the root '{' line </LI> <LI>Get rid of the array root line that contains "Log Files" </LI> <LI>Use SEDCMD to change "}," to "}" at the end of the lines</LI> <LI>Use SEDCMD to remove "]}"</LI> <LI>Set TIMESTAMP_PREFIX to <CODE>\{\"Date\":\"</CODE></LI> </UL> <P>That should result in individual, valid JSON events that should render fine in the UI. </P> Mon, 22 Aug 2016 18:38:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149595#M30460 s2_splunk 2016-08-22T18:38:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149596#M30461 <P>Try something like this,</P> <PRE><CODE>&lt;your base search...&gt; | table timestamp, Date, Available | eval temp=mvzip(timestamp, mvzip(Date, Available,"###"), "###") | mvexpand temp | rex field=temp "(?&lt;timestamp&gt;.*)###(?&lt;Date&gt;.*)###(?&lt;Available&gt;.*)" | fields - temp </CODE></PRE> <P>I have used the sample fields, you can try with your actual fields. Concept here is, you need to zip it with a delimiter (here ###) and expand it and extract it. This do the magic </P> Mon, 22 Aug 2016 18:55:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-split-an-array-in-a-json-file-into-multiple-new-events/m-p/149596#M30461 vasanthmss 2016-08-22T18:55:01Z