https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334488#M164400 <P>is it possible to extract a field from a result contained in a JSON field?<BR /> Ex; result of field payment.log: {"data":{"lancto_dto_list":,"sld_dt":{"lim":10.00,"sld_disp":37.80,"disp":40.80}}}<BR /> I need the last field "disp".</P> Wed, 30 Sep 2020 03:57:31 GMT anishinha 2020-09-30T03:57:31Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334483#M164395 <P>I have a json array like:</P> <P>How can I search or split that? The search:</P> <P>index=jira "issues{}.fields.customfield_14028"=521 | head 1 | stats sum("issues{}.fields.customfield_14233") by "issues{}.fields.summary"</P> <P>gives all issues....also where issues{}.fields.customfield_14028"&lt;&gt;521</P> Tue, 29 Sep 2020 17:11:41 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334483#M164395 moseisleydk 2020-09-29T17:11:41Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334484#M164396 <P>Hi @moseisleydk,</P> <P>Can you please try this search?</P> <PRE><CODE>index=jira "issues{}.fields.customfield_14028"=521 | head 1 | rename "issues{}.fields.customfield_14233" as customfield_14233, "issues{}.fields.summary" as summary | eval tempField=mvzip(customfield_14233,summary) | stats count by _time,tempField | eval customfield_14233=mvindex(split(tempField,","),0), summary=mvindex(split(tempField,","),1) | stats sum(customfield_14233) by summary </CODE></PRE> <P>Thanks</P> Tue, 12 Dec 2017 12:58:19 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334484#M164396 kamlesh_vaghela 2017-12-12T12:58:19Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334485#M164397 <P>Hi,</P> <P>Thanks, it still "ignores" the</P> <P>"issues{}.fields.customfield_14028"=521 </P> <P>and reports all issues, not only the </P> <P>customfield_14028: 521</P> <P>issues.</P> <P>Kind Regards,</P> <P>Normann</P> Tue, 12 Dec 2017 13:08:52 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334485#M164397 moseisleydk 2017-12-12T13:08:52Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334486#M164398 <P>Can you please share sample events? use <CODE>101010</CODE> for same.</P> Tue, 12 Dec 2017 13:17:39 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334486#M164398 kamlesh_vaghela 2017-12-12T13:17:39Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334487#M164399 <P>Found it after some test and thanks to <A href="https://answers.splunk.com/answers/366957/how-do-i-get-splunk-to-extract-nested-json-arrays.html" target="_blank">https://answers.splunk.com/answers/366957/how-do-i-get-splunk-to-extract-nested-json-arrays.html</A></P> <P>index=jira | head 1 | spath output=x path=issues{} | fields - _raw | fields x | mvexpand x | spath input=x | rename fields{} as fields | mvexpand fields | search fields.customfield_14028=521 | table key,fields.summary,fields.customfield_12931.value,fields.customfield_12927,fields.customfield_14233,fields.customfield_12932.value,price</P> <P>Give a nice table for all "events" where fields.customfield_14028=521</P> Tue, 29 Sep 2020 17:13:43 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334487#M164399 moseisleydk 2020-09-29T17:13:43Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334488#M164400 <P>is it possible to extract a field from a result contained in a JSON field?<BR /> Ex; result of field payment.log: {"data":{"lancto_dto_list":,"sld_dt":{"lim":10.00,"sld_disp":37.80,"disp":40.80}}}<BR /> I need the last field "disp".</P> Wed, 30 Sep 2020 03:57:31 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334488#M164400 anishinha 2020-09-30T03:57:31Z https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334489#M164401 <PRE><CODE>| makeresults | eval _raw="payment.log: {\"data\":{\"lancto_dto_list\":,\"sld_dt\":{\"lim\":10.00,\"sld_disp\":37.80,\"disp\":40.80}}}" | rex "disp.:(?&lt;disp&gt;[\d.]+)" </CODE></PRE> Fri, 31 Jan 2020 11:59:58 GMT https://community.splunk.com/t5/Splunk-Search/Splitting-or-searching-a-MV-JSON/m-p/334489#M164401 to4kawa 2020-01-31T11:59:58Z