https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565593#M197064 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/29190">@rczone</a>&nbsp;</P><P>It looks some variations in JSON event.</P><P>Can you please try these two options?</P><P>1)</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH | spath path=results_appcodes{} output=results_appcodes | stats count by results_appcodes |fields - count | rename results_appcodes as _raw | kv | eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}') | fields - "job_names{*" |table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")</LI-CODE><P>&nbsp;</P><P>&nbsp;<STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"results_appcodes\": [{\"count\": 2,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2,\"app_code\": \"ZZZ\",\"group\": \"ABC1234\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#mila3098\"]}, {\"count\": 192,\"app_code\": \"GKU\",\"group\": \"CAD45678\",\"instance\": \"PQ1\",\"job_names\": [[\"ZZZ#cmd#test123\"],[\"ZZZ#cmd#test890\"],[\"ZZZ#cmd#gola456\"],[\"ZZZ#cmd#test9990\"]]}]}" | kv | spath path=results_appcodes{} output=results_appcodes | stats count by results_appcodes |fields - count | rename results_appcodes as _raw | kv | eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}') | fields - "job_names{*" |table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>2)</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH | eval data = split(_raw,"}, {") | stats count by data | rex field=data "\"count\":\s(?&lt;count&gt;\d+),\s\"app_code\":\s\"(?&lt;app_code&gt;[^,]+)\",\s\"group\"\:\s\"(?&lt;group&gt;[^,]*)\",\s\"instance\"\:\s\"(?&lt;instance&gt;[^,]+)\",\s\"job_names\":\s(?&lt;job_names&gt;.*)" | rex field=job_names "\[?\"(?&lt;job_names&gt;[^\"]+)\"" max_match=0 | eval job_names=mvjoin(job_names,",") |table app_code count group instance job_names</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"results_appcodes\": [{\"count\": 2, \"app_code\": \"XYZ\", \"group\": \"\", \"instance\": \"PQ1\", \"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2, \"app_code\": \"ZZZ\", \"group\": \"ABC1234\", \"instance\": \"PQ1\", \"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1, \"app_code\": \"XYZ\", \"group\": \"\", \"instance\": \"PQ1\", \"job_names\": [\"XYZ#cmd#mila3098\"]}, {\"count\": 192, \"app_code\": \"GKU\", \"group\": \"CAD45678\", \"instance\": \"PQ1\", \"job_names\": [\"ZZZ#cmd#test123\"] ,[\"ZZZ#cmd#test890\"], [\"ZZZ#cmd#gola456\"], [\"ZZZ#cmd#test9990\"] }}" | eval data = split(_raw,"}, {") | stats count by data | rex field=data "\"count\":\s(?&lt;count&gt;\d+),\s\"app_code\":\s\"(?&lt;app_code&gt;[^,]+)\",\s\"group\"\:\s\"(?&lt;group&gt;[^,]*)\",\s\"instance\"\:\s\"(?&lt;instance&gt;[^,]+)\",\s\"job_names\":\s(?&lt;job_names&gt;.*)" | rex field=job_names "\[?\"(?&lt;job_names&gt;[^\"]+)\"" max_match=0 | eval job_names=mvjoin(job_names,",") |table app_code count group instance job_names</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I hope this will help you with your all type of events. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp;&nbsp;<SPAN><span class="lia-unicode-emoji" title=":winking_face:">😉</span></SPAN><BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Thu, 02 Sep 2021 05:42:09 GMT kamlesh_vaghela 2021-09-02T05:42:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565258#M196933 <P>Hello All,</P><P>&nbsp;</P><P>So i have a field like below with JSON file<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">{"results_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]}, {"count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]}, {"count": 1, "app_code": "ZZZ", "group": "", "instance": "PQ1", "job_names": ["ZZZ#cmd#mila3098"]}, {"count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": ["ZZZ#cmd#test123"] ,["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] }}</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;Im using below query to break down the JSON file above&nbsp;<BR /><BR />All the fields&nbsp; count,app_code, group, instance are getting as expected but for&nbsp; job_names&nbsp; im unable to break down and that particular attrbute has a list of jobs underneath it<BR /><BR />Im looking for a query to get jobnames also&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;&lt;mysearch&gt;&gt;| spath input=results|rename unique_appcodes{}.* as * | eval x = mvzip(count,mvzip(app_code,mvzip(group,mvzip(instance,mvzip(instance,job_names))))) | mvexpand x | eval x = split(x, ",")| eval job_count=mvindex(x,0), app_code = mvindex(x,1) ,group=mvindex(x,2), instance = mvindex(x,3),job_names = mvindex(x,4) |table app_code job_count group instance job_names</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Expected output</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="css">app_code count group instance job_names XYZ 2 PQ1 XYZ#cmd#johntest1,XYZ#cmd#remetest ZZZ 2 ABC1234 PQ2 ZZZ#ADM#cmd#pac,ZZZ#cmd#GET_APP_CODE</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 30 Aug 2021 19:53:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565258#M196933 rczone 2021-08-30T19:53:56Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565259#M196934 <P>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; any inputs&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;</P> Mon, 30 Aug 2021 20:04:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565259#M196934 rczone 2021-08-30T20:04:40Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565293#M196950 <P>Try something like this</P><LI-CODE lang="markup">| spath result_appcodes{} output=result_appcodes | mvexpand result_appcodes | spath input=result_appcodes </LI-CODE> Tue, 31 Aug 2021 08:45:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565293#M196950 ITWhisperer 2021-08-31T08:45:55Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565335#M196967 <P>Thankyou...but im looking to split the values individually as i need them to use further in my query...with jso spath split we cant use the values as individually</P> Tue, 31 Aug 2021 13:44:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565335#M196967 rczone 2021-08-31T13:44:54Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565417#M197002 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/29190">@rczone</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="php">YOUR_SEARCH | kv | spath path=results_appcodes{} output=results_appcodes | stats count by results_appcodes |fields - count | rename results_appcodes as _raw | kv | eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}') | fields - "job_names{*" | eval n=1 | accum n | eventstats max(n) as mn by app_code | where n=mn |table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="php">| makeresults | eval _raw="{\"results_appcodes\": [{\"count\": 2,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2,\"app_code\": \"ZZZ\",\"group\": \"ABC1234\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1,\"app_code\": \"ZZZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#cmd#mila3098\"]}, {\"count\": 192,\"app_code\": \"GKU\",\"group\": \"CAD45678\",\"instance\": \"PQ1\",\"job_names\": [[\"ZZZ#cmd#test123\"],[\"ZZZ#cmd#test890\"],[\"ZZZ#cmd#gola456\"],[\"ZZZ#cmd#test9990\"]]}]}" | kv | spath path=results_appcodes{} output=results_appcodes | stats count by results_appcodes |fields - count | rename results_appcodes as _raw | kv | eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}') | fields - "job_names{*" | eval n=1 | accum n | eventstats max(n) as mn by app_code | where n=mn |table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")</LI-CODE><P>&nbsp;</P><P>My Sample Event.</P><LI-CODE lang="javascript">{ "results_appcodes": [{ "count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"] }, { "count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"] }, { "count": 1, "app_code": "ZZZ", "group": "", "instance": "PQ1", "job_names": ["ZZZ#cmd#mila3098"] }, { "count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": [ ["ZZZ#cmd#test123"], ["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] ] }] }</LI-CODE><P>&nbsp;</P><P>You can changes the search incase variation in event <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp;<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Wed, 01 Sep 2021 05:32:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565417#M197002 kamlesh_vaghela 2021-09-01T05:32:05Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565429#M197007 <P>Can you give an example of what you get from this search and what further it needs to do?</P> Wed, 01 Sep 2021 08:27:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565429#M197007 ITWhisperer 2021-09-01T08:27:33Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565547#M197053 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp; Thankyou so much it worked most of the part for me its truncating job_names with count 1 if the job_names is duplicate<BR /><BR /><BR />here is my sample json file -- XYZ job_names has 2 records&nbsp; i it ,with count 2 and count 1 respectively in this case XYZ is only displayed once in output but i have to get 2 rows for XYZ</P><P>&nbsp;</P><LI-CODE lang="markup">{"results_appcodes": [{"count": 2, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#johntest1", "XYZ#cmd#remetest"]}, {"count": 2, "app_code": "ZZZ", "group": "ABC1234", "instance": "PQ1", "job_names": ["ZZZ#ADM#cmd#pac", "ZZZ#cmd#GET_APP_CODE"]}, {"count": 1, "app_code": "XYZ", "group": "", "instance": "PQ1", "job_names": ["XYZ#cmd#mila3098"]}, {"count": 192, "app_code": "GKU", "group": "CAD45678", "instance": "PQ1", "job_names": ["ZZZ#cmd#test123"] ,["ZZZ#cmd#test890"], ["ZZZ#cmd#gola456"], ["ZZZ#cmd#test9990"] }}</LI-CODE><P>&nbsp;</P><P><BR /><BR /></P> Wed, 01 Sep 2021 19:03:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565547#M197053 rczone 2021-09-01T19:03:01Z https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565593#M197064 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/29190">@rczone</a>&nbsp;</P><P>It looks some variations in JSON event.</P><P>Can you please try these two options?</P><P>1)</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH | spath path=results_appcodes{} output=results_appcodes | stats count by results_appcodes |fields - count | rename results_appcodes as _raw | kv | eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}') | fields - "job_names{*" |table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")</LI-CODE><P>&nbsp;</P><P>&nbsp;<STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"results_appcodes\": [{\"count\": 2,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2,\"app_code\": \"ZZZ\",\"group\": \"ABC1234\",\"instance\": \"PQ1\",\"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1,\"app_code\": \"XYZ\",\"group\": \"\",\"instance\": \"PQ1\",\"job_names\": [\"XYZ#cmd#mila3098\"]}, {\"count\": 192,\"app_code\": \"GKU\",\"group\": \"CAD45678\",\"instance\": \"PQ1\",\"job_names\": [[\"ZZZ#cmd#test123\"],[\"ZZZ#cmd#test890\"],[\"ZZZ#cmd#gola456\"],[\"ZZZ#cmd#test9990\"]]}]}" | kv | spath path=results_appcodes{} output=results_appcodes | stats count by results_appcodes |fields - count | rename results_appcodes as _raw | kv | eval job_names=if(isnotnull('job_names{}'),'job_names{}','job_names{}{}') | fields - "job_names{*" |table app_code count group instance job_names | eval job_names=mvjoin(job_names,",")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>2)</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH | eval data = split(_raw,"}, {") | stats count by data | rex field=data "\"count\":\s(?&lt;count&gt;\d+),\s\"app_code\":\s\"(?&lt;app_code&gt;[^,]+)\",\s\"group\"\:\s\"(?&lt;group&gt;[^,]*)\",\s\"instance\"\:\s\"(?&lt;instance&gt;[^,]+)\",\s\"job_names\":\s(?&lt;job_names&gt;.*)" | rex field=job_names "\[?\"(?&lt;job_names&gt;[^\"]+)\"" max_match=0 | eval job_names=mvjoin(job_names,",") |table app_code count group instance job_names</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"results_appcodes\": [{\"count\": 2, \"app_code\": \"XYZ\", \"group\": \"\", \"instance\": \"PQ1\", \"job_names\": [\"XYZ#cmd#johntest1\", \"XYZ#cmd#remetest\"]}, {\"count\": 2, \"app_code\": \"ZZZ\", \"group\": \"ABC1234\", \"instance\": \"PQ1\", \"job_names\": [\"ZZZ#ADM#cmd#pac\", \"ZZZ#cmd#GET_APP_CODE\"]}, {\"count\": 1, \"app_code\": \"XYZ\", \"group\": \"\", \"instance\": \"PQ1\", \"job_names\": [\"XYZ#cmd#mila3098\"]}, {\"count\": 192, \"app_code\": \"GKU\", \"group\": \"CAD45678\", \"instance\": \"PQ1\", \"job_names\": [\"ZZZ#cmd#test123\"] ,[\"ZZZ#cmd#test890\"], [\"ZZZ#cmd#gola456\"], [\"ZZZ#cmd#test9990\"] }}" | eval data = split(_raw,"}, {") | stats count by data | rex field=data "\"count\":\s(?&lt;count&gt;\d+),\s\"app_code\":\s\"(?&lt;app_code&gt;[^,]+)\",\s\"group\"\:\s\"(?&lt;group&gt;[^,]*)\",\s\"instance\"\:\s\"(?&lt;instance&gt;[^,]+)\",\s\"job_names\":\s(?&lt;job_names&gt;.*)" | rex field=job_names "\[?\"(?&lt;job_names&gt;[^\"]+)\"" max_match=0 | eval job_names=mvjoin(job_names,",") |table app_code count group instance job_names</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I hope this will help you with your all type of events. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一 &nbsp;&nbsp;<SPAN><span class="lia-unicode-emoji" title=":winking_face:">😉</span></SPAN><BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Thu, 02 Sep 2021 05:42:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-mvindex-to-break-json-file-with-multiple-values/m-p/565593#M197064 kamlesh_vaghela 2021-09-02T05:42:09Z