https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496238#M84652 <P>Fantastic! Thank you so much!!!!!</P> Tue, 12 May 2020 13:10:17 GMT ch1221 2020-05-12T13:10:17Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496227#M84641 <P>Looking for some assistance extracting all of the nested json values like the "results", "tags" and "iocs" in the screenshot. I've been trying to get spath and mvexpand to work for days but apparently I am not doing something right. Any help is appreciated.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8883i1F493AE22FC5D318/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 11 May 2020 20:52:08 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496227#M84641 ch1221 2020-05-11T20:52:08Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496228#M84642 <P>your JSON can't be extracted using <CODE>spath</CODE> and <CODE>mvexpand</CODE> </P> <P>This Only can be extracted from <CODE>_raw</CODE>, not <CODE>Show syntax highlighted</CODE></P> Mon, 11 May 2020 22:03:02 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496228#M84642 to4kawa 2020-05-11T22:03:02Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496229#M84643 <P>if you run the search and then table it does it show as being parsed into its own columns as that might give you what you need. </P> <P>Otherwise you may need to regex the data first if spath or mvexpand could not be used.</P> <P>Also can you provide the output what is happening after you try with your search so we can try and work out a solution? </P> Tue, 12 May 2020 08:16:11 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496229#M84643 Sfry1981 2020-05-12T08:16:11Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496230#M84644 <P>click <STRONG>Show as raw text</STRONG> in events</P> Tue, 12 May 2020 08:42:54 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496230#M84644 to4kawa 2020-05-12T08:42:54Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496231#M84645 <P>{ "start": 0, "terms": [ "feed_id:14" ], "highlights": [], "total_results": 103, "filtered": {}, "facets": {}, "results": [ { "ipv4_count": 0, "description": "description of event", "tags": [ "threathunting", "hunting", "t1033", "discovery", "recon", "windows" ], "feed_id": 14, "timestamp": 1552664393, "feed_category": "xxx", "sha256_count": 0, "create_time": 1552664393, "link": "hxxps://xxx.xxx", "id": "565616", "query_count": 1, "is_deleted": false, "title": "test", "has_query": true, "iocs": { "query": [ { "index_type": "events", "search_query": "test query" } ] }, "is_ignored": false, "feed_name": "test feed", "md5_count": 0, "score": 65, "ipv6_count": 0, "domain_count": 0 }, ], "elapsed": 0.013309955596923828}</P> Wed, 30 Sep 2020 05:24:00 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496231#M84645 ch1221 2020-09-30T05:24:00Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496232#M84646 <PRE><CODE>your search | rex "results\":\s(?&lt;results&gt;\[.*\])" | spath | fields - _* results{}.* | stats values(*) as * by results | spath input=results {} output=results | stats values(*) as * by results | spath input=results | fields - results | eval tags=mvjoin('tags{}',",") | fields - tags{} source sourcetype splunk_server punct date_* host </CODE></PRE> <P>Thanks for your sample. how about this?</P> Tue, 12 May 2020 12:03:20 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496232#M84646 to4kawa 2020-05-12T12:03:20Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496233#M84647 <P>That doesn't work. It returns 6 events (based on the tags it appears) with all of the other values identical.</P> Tue, 12 May 2020 12:08:53 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496233#M84647 ch1221 2020-05-12T12:08:53Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496234#M84648 <P>The raw results that I provided was a sample of 103+ results which is too much to post.</P> Tue, 12 May 2020 12:09:34 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496234#M84648 ch1221 2020-05-12T12:09:34Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496235#M84649 <P>Put it up on another site temporarily and let me know the link.</P> Tue, 12 May 2020 12:13:44 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496235#M84649 to4kawa 2020-05-12T12:13:44Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496236#M84650 <P><A href="https://www.dropbox.com/s/hjs4ez36y8g622q/cbfeeds.txt?dl=0">https://www.dropbox.com/s/hjs4ez36y8g622q/cbfeeds.txt?dl=0</A></P> Tue, 12 May 2020 12:43:02 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496236#M84650 ch1221 2020-05-12T12:43:02Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496237#M84651 <P>I see, my answer is updated.</P> Tue, 12 May 2020 13:06:45 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496237#M84651 to4kawa 2020-05-12T13:06:45Z https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496238#M84652 <P>Fantastic! Thank you so much!!!!!</P> Tue, 12 May 2020 13:10:17 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-nested-json/m-p/496238#M84652 ch1221 2020-05-12T13:10:17Z