topic How do I change field names (extracted field name) to field values? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-change-field-names-extracted-field-name-to-field-values/m-p/469875#M192081 <P>I have a json structure that contains an object map:</P> <PRE><CODE>{ "correlation_id": "f9535d13-f75b-4dd7-8c39-1e77b1559afe", "targeting_data": [ { "attribute_values": { "1013": "005", "2056": "07", "2057": "01", "2058": "03", "2060": "02", "2065": "01", "2075": "04", "2080": "03", "2081": "01", "DMA": "803", "RECTYPE": "HD", "RECVCNT": "6", "STATE": "CA", "SVCPKGTIER": "5" }, "origin": null } ], "timestamp": "2020-06-02T00:02:09.257+00:00", "zone_target_area": "195" } </CODE></PRE> <P>How do i take the fields extracted as targeting_data{}.attribute_values.1013, targeting_data{}.attribute_values.2056 and output the field names (1013, 2056) as values. I would like for my output to be a list of the map's keys.</P> Wed, 30 Sep 2020 05:36:23 GMT vasugazula 2020-09-30T05:36:23Z How do I change field names (extracted field name) to field values? https://community.splunk.com/t5/Splunk-Search/How-do-I-change-field-names-extracted-field-name-to-field-values/m-p/469875#M192081 <P>I have a json structure that contains an object map:</P> <PRE><CODE>{ "correlation_id": "f9535d13-f75b-4dd7-8c39-1e77b1559afe", "targeting_data": [ { "attribute_values": { "1013": "005", "2056": "07", "2057": "01", "2058": "03", "2060": "02", "2065": "01", "2075": "04", "2080": "03", "2081": "01", "DMA": "803", "RECTYPE": "HD", "RECVCNT": "6", "STATE": "CA", "SVCPKGTIER": "5" }, "origin": null } ], "timestamp": "2020-06-02T00:02:09.257+00:00", "zone_target_area": "195" } </CODE></PRE> <P>How do i take the fields extracted as targeting_data{}.attribute_values.1013, targeting_data{}.attribute_values.2056 and output the field names (1013, 2056) as values. I would like for my output to be a list of the map's keys.</P> Wed, 30 Sep 2020 05:36:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-change-field-names-extracted-field-name-to-field-values/m-p/469875#M192081 vasugazula 2020-09-30T05:36:23Z Re: How do I change field names (extracted field name) to field values? https://community.splunk.com/t5/Splunk-Search/How-do-I-change-field-names-extracted-field-name-to-field-values/m-p/469876#M192082 <P>@vasugazula </P> <P>Can you please try this? You will have your values in <CODE>map_s_keys</CODE> field.</P> <PRE><CODE>YOUR_SEARCH | eval map_s_keys="" | foreach targeting_data{}.attribute_values.* [ eval map_s_keys=if(map_s_keys="","&lt;&lt;MATCHSTR&gt;&gt;", map_s_keys.","."&lt;&lt;MATCHSTR&gt;&gt;") ] | table map_s_keys </CODE></PRE> <P><STRONG>Sample Search:</STRONG></P> <PRE><CODE>| makeresults | eval _raw="{\"correlation_id\": \"f9535d13-f75b-4dd7-8c39-1e77b1559afe\",\"targeting_data\": [{\"attribute_values\": {\"1013\": \"005\",\"2056\": \"07\",\"2057\": \"01\",\"2058\": \"03\",\"2060\": \"02\",\"2065\": \"01\",\"2075\": \"04\",\"2080\": \"03\",\"2081\": \"01\",\"DMA\": \"803\",\"RECTYPE\": \"HD\",\"RECVCNT\": \"6\",\"STATE\": \"CA\",\"SVCPKGTIER\": \"5\"},\"origin\": null}],\"timestamp\": \"2020-06-02T00:02:09.257+00:00\",\"zone_target_area\": \"195\"}" | extract | eval map_s_keys="" | foreach targeting_data{}.attribute_values.* [ eval map_s_keys=if(map_s_keys="","&lt;&lt;MATCHSTR&gt;&gt;", map_s_keys.","."&lt;&lt;MATCHSTR&gt;&gt;") ] | table map_s_keys </CODE></PRE> <P>Thanks</P> Tue, 02 Jun 2020 05:41:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-change-field-names-extracted-field-name-to-field-values/m-p/469876#M192082 kamlesh_vaghela 2020-06-02T05:41:53Z