https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463693#M79982 <P>@cuongnguyen112 </P> <P>Can you please try this?</P> <PRE><CODE>YOUR_SEARCH | rename sysinfo.process_list.* as * | eval field_name="",uid="",gid="",name="",pid="" | foreach *.* [ eval field_name= mvindex(split("&lt;&lt;FIELD&gt;&gt;","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'&lt;&lt;FIELD&gt;&gt;'] | eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) | fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3) | table name pid uid gid </CODE></PRE> <P>Sample Search:</P> <PRE><CODE>| makeresults | eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" | spath | rename sysinfo.process_list.* as * | eval field_name="",uid="",gid="",name="",pid="" | foreach *.* [ eval field_name= mvindex(split("&lt;&lt;FIELD&gt;&gt;","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'&lt;&lt;FIELD&gt;&gt;'] | eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) | fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3) | table name pid uid gid </CODE></PRE> <P>Thanks</P> Mon, 21 Oct 2019 06:21:09 GMT kamlesh_vaghela 2019-10-21T06:21:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463692#M79981 <P>hi, i got data like this: </P> <P>{<BR /> "source": "sadmin",<BR /> "sysinfo": {<BR /> "process_list": {<BR /> "56": {<BR /> "name": "nginx on",<BR /> "pid": 56,<BR /> "uid": 0,<BR /> "gid": 0<BR /> },<BR /> "57": {<BR /> "name": "nginx: worker process",<BR /> "pid": 57,<BR /> "uid": 33,<BR /> "gid": 33<BR /> },<BR /> }<BR /> }<BR /> }<BR /> i need to create a table from these data like below: <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7841i7AD8BE3532AF6F3A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>could any one please help me !!</P> Mon, 21 Oct 2019 04:07:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463692#M79981 cuongnguyen112 2019-10-21T04:07:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463693#M79982 <P>@cuongnguyen112 </P> <P>Can you please try this?</P> <PRE><CODE>YOUR_SEARCH | rename sysinfo.process_list.* as * | eval field_name="",uid="",gid="",name="",pid="" | foreach *.* [ eval field_name= mvindex(split("&lt;&lt;FIELD&gt;&gt;","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'&lt;&lt;FIELD&gt;&gt;'] | eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) | fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3) | table name pid uid gid </CODE></PRE> <P>Sample Search:</P> <PRE><CODE>| makeresults | eval _raw="{\"source\": \"sadmin\",\"sysinfo\": {\"process_list\": {\"56\": {\"name\": \"nginx on\",\"pid\": \"56\",\"uid\": \"0\",\"gid\": \"0\"},\"57\": {\"name\": \"nginx: worker process\",\"pid\": \"57\",\"uid\": \"33\",\"gid\": \"33\"},}}}" | spath | rename sysinfo.process_list.* as * | eval field_name="",uid="",gid="",name="",pid="" | foreach *.* [ eval field_name= mvindex(split("&lt;&lt;FIELD&gt;&gt;","."),1),val=case(field_name=="pid",pid,field_name=="gid",gid,field_name=="uid",uid,1=1,name), {field_name}=if(val!="",val.",","").'&lt;&lt;FIELD&gt;&gt;'] | eval tmp=mvzip(mvzip(mvzip(split(name,","),split(pid,",")),split(uid,",")),split(gid,",")) | fields _time tmp | mvexpand tmp | eval name=mvindex(split(tmp,","),0),pid=mvindex(split(tmp,","),1),uid=mvindex(split(tmp,","),2),gid=mvindex(split(tmp,","),3) | table name pid uid gid </CODE></PRE> <P>Thanks</P> Mon, 21 Oct 2019 06:21:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463693#M79982 kamlesh_vaghela 2019-10-21T06:21:09Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463694#M79983 <P>you're my hero, exactly what i needed </P> Mon, 21 Oct 2019 06:38:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463694#M79983 cuongnguyen112 2019-10-21T06:38:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463695#M79984 <P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Glad to help you.</P> <P><STRONG>!! Happy Splunking !!</STRONG></P> Mon, 21 Oct 2019 07:27:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-parse-JSON-with-multiple-array/m-p/463695#M79984 kamlesh_vaghela 2019-10-21T07:27:38Z