https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397997#M70967 <P>Thanks @493669 </P> <P>I was able to extract the correct data using spath.</P> <P>My search was:<BR /> index=test<BR /> | spath path=rules{} output=rules <BR /> | mvexpand rules <BR /> | rename rules as _raw <BR /> | spath</P> Mon, 14 Jan 2019 10:12:48 GMT MABurberry 2019-01-14T10:12:48Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397995#M70965 <P>Hi All,</P> <P>I am having some troubles parsing nested AWS fields.</P> <P>The data that I have looks like this:</P> <PRE><CODE> rules: [ [-] { [-] from_port: 80 grants: [ [-] { [-] cidr_ip: 10.51.4.20/31 group_id: null name: null owner_id: null } { [-] cidr_ip: 10.51.4.8/31 group_id: null name: null owner_id: null } { [-] cidr_ip: 10.51.4.2/31 group_id: null name: null owner_id: null } ] groups: ipRanges: ip_protocol: tcp to_port: 80 } { [-] from_port: 0 grants: [ [-] { [-] cidr_ip: 10.0.1.9/21 group_id: null name: null owner_id: null } ] groups: ipRanges: ip_protocol: tcp to_port: 65535 } { [-] from_port: 7002 grants: [ [-] { [-] cidr_ip: 10.0.1.7/21 group_id: null name: null owner_id: null } { [-] cidr_ip: 10.0.1.5/21 group_id: null name: null owner_id: null } { [-] cidr_ip: 10.0.1.2/21 group_id: null name: null owner_id: null } ] groups: ipRanges: ip_protocol: tcp to_port: 7002 } </CODE></PRE> <P>I want to be able to parse these fields so they show up like:</P> <PRE><CODE>IP Address FROM_PORT TO_PORT 10.51.4.20/31 80 80 10.51.4.8/31 80 80 10.51.4.2/31 80 80 10.0.1.9/21 0 65535 10.0.1.7/21 7002 7002 </CODE></PRE> <P>I've tried MVZip then MVExpand but I cannot seem to get it working correctly. Does anyone have any ways to solve this please?</P> <P>Thanks</P> Mon, 14 Jan 2019 09:08:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397995#M70965 MABurberry 2019-01-14T09:08:32Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397996#M70966 <P>Hi @MABurberry,</P> <P>can you try <CODE>|spath</CODE> command like below</P> <PRE><CODE>index=&lt;YourIndexname&gt;|spath </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Spath">https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Spath</A></P> Mon, 14 Jan 2019 09:40:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397996#M70966 493669 2019-01-14T09:40:28Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397997#M70967 <P>Thanks @493669 </P> <P>I was able to extract the correct data using spath.</P> <P>My search was:<BR /> index=test<BR /> | spath path=rules{} output=rules <BR /> | mvexpand rules <BR /> | rename rules as _raw <BR /> | spath</P> Mon, 14 Jan 2019 10:12:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397997#M70967 MABurberry 2019-01-14T10:12:48Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397998#M70968 <P>Hi,</P> <P>you need a bit more than just spath</P> <P>in this example you can see how to use spath in the way you wanted your example</P> <PRE><CODE>| makeresults | eval _raw = "{\"rules\": [{\"from\": 1, \"grant\":[{\"ip\": 12}, {\"ip\": 34}]}, {\"from\": 2, \"grant\":[{\"ip\": 56}, {\"ip\": 78}]}]}" | spath rules{} output=rules | mvexpand rules | spath input=rules </CODE></PRE> <P>use just the part after |spath and change the names.</P> <P>David</P> Mon, 14 Jan 2019 10:17:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-nested-Amazon-Web-Services-fields/m-p/397998#M70968 dkeck 2019-01-14T10:17:50Z