https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416123#M73535 <P>i have tried the spath command, but no results. I would like to display the below data into a table as shown below:</P> <PRE><CODE>10:40:19.682 INFO com.sample.splunk.service.splunkService - Splunk_SampleJson —&gt;{“fileNamesList:[{“fileName”:”fileName1.zip"},{"fileName":"fileName2.zip”},{“fileName":"fileName3.zip”}]} I wanted to get data in table format </CODE></PRE> <P>FileName<BR /> ——————<BR /> fileName1<BR /> fileName2<BR /> FileName3</P> Mon, 21 Jan 2019 18:51:37 GMT saranya12 2019-01-21T18:51:37Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416123#M73535 <P>i have tried the spath command, but no results. I would like to display the below data into a table as shown below:</P> <PRE><CODE>10:40:19.682 INFO com.sample.splunk.service.splunkService - Splunk_SampleJson —&gt;{“fileNamesList:[{“fileName”:”fileName1.zip"},{"fileName":"fileName2.zip”},{“fileName":"fileName3.zip”}]} I wanted to get data in table format </CODE></PRE> <P>FileName<BR /> ——————<BR /> fileName1<BR /> fileName2<BR /> FileName3</P> Mon, 21 Jan 2019 18:51:37 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416123#M73535 saranya12 2019-01-21T18:51:37Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416124#M73536 <P>Thats probably because spath works on pure json data and your long entry is not pure json (it has those timestamps and other info before the json portion). You can extract the json portion into a new field and use spath on that, e.g.</P> <PRE><CODE>your base search | rex "^([^\{]+)(?&lt;jsondata&gt;.+)$" | spath input=jsondata </CODE></PRE> Mon, 21 Jan 2019 20:03:54 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416124#M73536 somesoni2 2019-01-21T20:03:54Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416125#M73537 <P>Thank you worked for me , adding complete search query it might help some one </P> <PRE><CODE>my base search | rex "^([^\{]+)(?&lt;jsondata&gt;.+)$" |spath input=jsondata output=fileName path=fileNamesList{}.fileName |table fileName </CODE></PRE> Mon, 21 Jan 2019 20:30:12 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416125#M73537 saranya12 2019-01-21T20:30:12Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416126#M73538 <P>Thanks for sharing your working search. Please remember to format your searches/code snippet by selecting the query and clicking on "101010" button on the top of the text area. </P> <P>Please mark this question answered by accepting this as an answer.</P> Mon, 21 Jan 2019 21:55:25 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416126#M73538 somesoni2 2019-01-21T21:55:25Z https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416127#M73539 <P>Like this:</P> <PRE><CODE>| makeresults | eval _raw="10:40:19.682 INFO com.sample.splunk.service.splunkService - Splunk_SampleJson —&gt;{\"fileNamesList:[{\"fileName\":\"fileName1.zip\"},{\"fileName\":\"fileName2.zip\"},{\"fileName\":\"fileName3.zip\"}]}" | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex max_match=0 "\"fileName\":\"(?&lt;fileName&gt;[^\"]+)" | table fileName | mvexpand fileName </CODE></PRE> <P>You may not need the last line (try with and without).</P> Mon, 21 Jan 2019 22:15:16 GMT https://community.splunk.com/t5/Getting-Data-In/Can-you-help-us-parse-the-following-JSON/m-p/416127#M73539 woodcock 2019-01-21T22:15:16Z