https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592862#M11307 <P>Does anyone know the answer to this please?</P> Thu, 07 Apr 2022 10:04:32 GMT POR160893 2022-04-07T10:04:32Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592645#M11304 <P>Hi,</P> <P>I need to convert the following into a single query that uses the EVAL command in order to perform extractions.<BR /><BR />I currently have the following:<BR />index="identitynow" |spath path=action |rename action as authentication_method, index="identitynow" |spath path=name |rename name as authentication_service,index="identitynow" |spath path=message |<BR />rename message as reason,index="identitynow" |spath path=status |rename status as action,index="identitynow" |spath path=source |rename source as src,index="identitynow" |spath path=source_host |<BR />rename source_host as src_user_id,index="identitynow" |spath path=apiUsername |rename apiUsername as user<BR /><BR />Is it possible to use the spath function with the EVAL command?<BR /><BR /><BR />Thank you so much for all your help!</P> Wed, 06 Apr 2022 15:30:49 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592645#M11304 POR160893 2022-04-06T15:30:49Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592655#M11305 <P>You have labelled this question as summary indexing. Perhaps if you could explain what it is that you are trying to achieve, we might be able to find a way to do it.</P> Thu, 07 Apr 2022 15:16:48 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592655#M11305 ITWhisperer 2022-04-07T15:16:48Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592660#M11306 <P>Basically, I have an index and some of the fields are in JSON format. I need to extract them and make individual fields for them.<BR /><BR />Spath was the only way I could access the values in JSON format and turn them into fields. I am unable to add the Spath into the props.conf - only extraction, field alias and eval.<BR /><BR />Can you please help?</P> Wed, 06 Apr 2022 11:45:47 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592660#M11306 POR160893 2022-04-06T11:45:47Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592862#M11307 <P>Does anyone know the answer to this please?</P> Thu, 07 Apr 2022 10:04:32 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592862#M11307 POR160893 2022-04-07T10:04:32Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592863#M11308 <P>Does anyone know the answer to this issue please as I need it for CIM compliance?</P> Thu, 07 Apr 2022 10:05:17 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592863#M11308 POR160893 2022-04-07T10:05:17Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592877#M11309 <P><SPAN>Basically, I have an index and some of the fields are in JSON format. I need to extract them and make individual fields for them.</SPAN><BR /><BR /><SPAN>Spath was the only way I could access the values in JSON format and turn them into fields. I am unable to add the Spath into the props.conf - only extraction, field alias and eval.</SPAN><BR /><BR /><SPAN>Can you please help?</SPAN></P> Thu, 07 Apr 2022 11:51:46 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592877#M11309 POR160893 2022-04-07T11:51:46Z https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592937#M11310 <P>I solved the problem, thanks<span class="lia-unicode-emoji" title=":grinning_face:">😀</span>:<BR /><BR /><BR />.....<BR />| eval authentication_method =spath(_raw,"action")<BR />| eval authentication_service = spath(_raw,"name")<BR />| eval reason =spath(_raw,"message")<BR />| eval action=spath(_raw,"status")<BR />| eval src=spath(_raw,"source")<BR />| eval src_user_id = spath(_raw,"source_host")<BR />| eval user=spath(_raw,"apiUsername")<BR /><BR /><BR /><BR /></P> Thu, 07 Apr 2022 15:10:31 GMT https://community.splunk.com/t5/Reporting/How-to-convert-multiple-spath-commands-into-a-single-EVAL/m-p/592937#M11310 POR160893 2022-04-07T15:10:31Z