https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509770#M142484 <LI-CODE lang="markup">index=_internal |head 1 | fields _time _raw |eval _raw="{\"id\":\"123\",\"uri\":\"http://xyz.com/api\",\"method\":\"POST\",\"headers\":[\"Accept: application/json\",\"SERVICE.ENV: qa\",\"SERVICE.NAME: someservice\",\"CLIENT.ID: s0m3id\",\"CLIENT_TYPE: typeA\",\"CLIENT_IP:123.456.7.8\"],\"cookies\":[],\"message\":\"Request Finished\",\"status\":200}" | spath headers{} output=headers | rex field=headers max_match=0 "(?&lt;key&gt;\w+):\s*(?&lt;value&gt;\S+)" | eval _raw=mvzip(key,value,"=") | kv</LI-CODE><P>This query extracts&nbsp;<EM>header array.</EM></P> Fri, 17 Jul 2020 18:32:11 GMT to4kawa 2020-07-17T18:32:11Z https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509628#M142451 <P>Hi,&nbsp;</P><P>I have a json that looks like the following -&nbsp;<BR /><BR />{<BR />"id": "123",<BR />"uri": "<A href="http://xyz.com/api" target="_blank" rel="noopener">http://xyz.com/api</A>",<BR />"method": "POST",<BR />"headers": [<BR />"Accept: application/json",<BR />"SERVICE.ENV: qa",<BR />"SERVICE.NAME: someservice",<BR />"CLIENT.ID: s0m3id",<BR />"CLIENT_TYPE: typeA",<BR />"CLIENT_IP:123.456.7.8"<BR />],<BR />"cookies": [],<BR />"message": "Request Finished",<BR />"status": 200<BR />}<BR /><BR />Within the headers section, I want to capture what all CLIENT_IPs are passing other header info such as SERVICE.ENV and SERVICE.NAME. The catch being, CLIENT_IP:123.456.7.8 is all in a single pair of quotes, so it isn't being parsed as a key value pair (as per my understanding). Please help.&nbsp;</P> Fri, 17 Jul 2020 00:28:36 GMT https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509628#M142451 rashmeet 2020-07-17T00:28:36Z https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509634#M142455 <P>Hello -&nbsp;</P><P>This looks like valid JSON. Have you tried setting KV_MODE=json in props.conf?<BR /><BR /><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Automatickey-valuefieldextractionsatsearch-time" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Automatickey-valuefieldextractionsatsearch-time</A>&nbsp;</P><P>Thanks!</P> Fri, 17 Jul 2020 02:01:03 GMT https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509634#M142455 _gkollias 2020-07-17T02:01:03Z https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509638#M142458 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/174728">@_gkollias</a>&nbsp; - Thank you for the response.&nbsp;<BR />And sorry I’m absolutely new to splunk which is why I was unaware for the KV_MODE. So once it’s specified, will I be able to query with the key such as CLIENT_ID?&nbsp;<BR /><BR /></P><P>I've been trying queries like -&nbsp;</P><P>index=my_service<BR />| rename @fields.headers{}.* as *<BR />| eval a = mvzip(CLIENT_IP,CLIENT.ID,"|")<BR />| mvexpand a<BR />| table CLIENT_IP,CLIENT.ID</P><P>And it is giving me empty table.</P> Fri, 17 Jul 2020 17:12:38 GMT https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509638#M142458 rashmeet 2020-07-17T17:12:38Z https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509749#M142478 <P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Jul 2020 17:12:56 GMT https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509749#M142478 rashmeet 2020-07-17T17:12:56Z https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509770#M142484 <LI-CODE lang="markup">index=_internal |head 1 | fields _time _raw |eval _raw="{\"id\":\"123\",\"uri\":\"http://xyz.com/api\",\"method\":\"POST\",\"headers\":[\"Accept: application/json\",\"SERVICE.ENV: qa\",\"SERVICE.NAME: someservice\",\"CLIENT.ID: s0m3id\",\"CLIENT_TYPE: typeA\",\"CLIENT_IP:123.456.7.8\"],\"cookies\":[],\"message\":\"Request Finished\",\"status\":200}" | spath headers{} output=headers | rex field=headers max_match=0 "(?&lt;key&gt;\w+):\s*(?&lt;value&gt;\S+)" | eval _raw=mvzip(key,value,"=") | kv</LI-CODE><P>This query extracts&nbsp;<EM>header array.</EM></P> Fri, 17 Jul 2020 18:32:11 GMT https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509770#M142484 to4kawa 2020-07-17T18:32:11Z https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509807#M142506 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp; - Thank you, that does help, much appreciated. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR /></P><P>&nbsp;</P><P><BR />&nbsp;</P> Sat, 18 Jul 2020 16:48:56 GMT https://community.splunk.com/t5/Splunk-Search/Parse-nested-json-array-without-direct-key-value-mapping/m-p/509807#M142506 rashmeet 2020-07-18T16:48:56Z