https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604213#M210165 <P>thanks for your help! the result is "37.0.10.15.judgments{}" and "47.105.153.104.judgments{}", what can I do if I want to stats the two judgments to one field?</P> Sat, 02 Jul 2022 03:10:28 GMT zhenqi 2022-07-02T03:10:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604098#M210139 <P>Hi,</P><P>I want to extract judgments to a fields from&nbsp;<SPAN>"</SPAN><SPAN class="">37.0.10.15</SPAN><SPAN>" and&nbsp;"<SPAN class="">47.105.153.104</SPAN>",</SPAN></P><P>Is there any way it can do that?</P><PRE><SPAN>{"</SPAN><SPAN class="">data</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">37.0.10.15</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">severity</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">medium</SPAN><SPAN>","</SPAN><SPAN class="">judgments</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">Scanner</SPAN><SPAN>","</SPAN><SPAN class="">Zombie</SPAN><SPAN>","</SPAN><SPAN class="">Spam</SPAN><SPAN>"],"</SPAN><SPAN class="">tags_classes</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>[],"</SPAN><SPAN class="">basic</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">carrier</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Delis</SPAN> <SPAN class="">LLC</SPAN><SPAN>","</SPAN><SPAN class="">location</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">country</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">The</SPAN> <SPAN class="">Netherlands</SPAN><SPAN>","</SPAN><SPAN class="">province</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Zuid-Holland</SPAN><SPAN>","</SPAN><SPAN class="">city</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Brielle</SPAN><SPAN>","</SPAN><SPAN class="">lng</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">4.16361</SPAN><SPAN>","</SPAN><SPAN class="">lat</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">51.90248</SPAN><SPAN>","</SPAN><SPAN class="">country_code</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">NL</SPAN><SPAN>"}},"</SPAN><SPAN class="">asn</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{},"</SPAN><SPAN class="">scene</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"","</SPAN><SPAN class="">confidence_level</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">high</SPAN><SPAN>","</SPAN><SPAN class="">is_malicious</SPAN><SPAN>"</SPAN><SPAN class="">:true</SPAN><SPAN>,"</SPAN><SPAN class="">update_time</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2022-06-20</SPAN> <SPAN class="">13:00:09</SPAN><SPAN>"},"</SPAN><SPAN class="">47.105.153.104</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">severity</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">high</SPAN><SPAN>","</SPAN><SPAN class="">judgments</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">Zombie</SPAN><SPAN>","</SPAN><SPAN class="">IDC</SPAN><SPAN>","</SPAN><SPAN class="">Exploit</SPAN><SPAN>","</SPAN><SPAN class="">Spam</SPAN><SPAN>"],"</SPAN><SPAN class="">tags_classes</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>[{"</SPAN><SPAN class="">tags</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>["</SPAN><SPAN class="">Aliyun</SPAN><SPAN>"],"</SPAN><SPAN class="">tags_type</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">public_info</SPAN><SPAN>"}],"</SPAN><SPAN class="">basic</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">carrier</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Alibaba</SPAN> <SPAN class="">Cloud</SPAN><SPAN>","</SPAN><SPAN class="">location</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">country</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">China</SPAN><SPAN>","</SPAN><SPAN class="">province</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Shandong</SPAN><SPAN>","</SPAN><SPAN class="">city</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Qingdao</SPAN> <SPAN class="">City</SPAN><SPAN>","</SPAN><SPAN class="">lng</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">120.372878</SPAN><SPAN>","</SPAN><SPAN class="">lat</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">36.098733</SPAN><SPAN>","</SPAN><SPAN class="">country_code</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">CN</SPAN><SPAN>"}},"</SPAN><SPAN class="">asn</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">rank</SPAN><SPAN>"</SPAN><SPAN class="">:2</SPAN><SPAN>,"</SPAN><SPAN class="">info</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">CNNIC-ALIBABA-CN-NET-AP</SPAN> <SPAN class="">Hangzhou</SPAN> <SPAN class="">Alibaba</SPAN> <SPAN class="">Advertising</SPAN> <SPAN class="">Co.</SPAN><SPAN>,</SPAN><SPAN class="">Ltd.</SPAN><SPAN>, </SPAN><SPAN class="">CN</SPAN><SPAN>","</SPAN><SPAN class="">number</SPAN><SPAN>"</SPAN><SPAN class="">:37963</SPAN><SPAN>},"</SPAN><SPAN class="">scene</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">Hosting</SPAN><SPAN>","</SPAN><SPAN class="">confidence_level</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">high</SPAN><SPAN>","</SPAN><SPAN class="">is_malicious</SPAN><SPAN>"</SPAN><SPAN class="">:true</SPAN><SPAN>,"</SPAN><SPAN class="">update_time</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">2022-06-27</SPAN> <SPAN class="">21:11:32</SPAN><SPAN>"}},"</SPAN><SPAN class="">response_code</SPAN><SPAN>"</SPAN><SPAN class="">:0</SPAN><SPAN>,"</SPAN><SPAN class="">verbose_msg</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">OK</SPAN><SPAN>"}</SPAN></PRE><P>&nbsp;</P> Fri, 01 Jul 2022 09:44:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604098#M210139 zhenqi 2022-07-01T09:44:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604106#M210144 <LI-CODE lang="markup">| spath data | spath input=data | fields *.judgments{}</LI-CODE> Fri, 01 Jul 2022 11:16:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604106#M210144 ITWhisperer 2022-07-01T11:16:13Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604213#M210165 <P>thanks for your help! the result is "37.0.10.15.judgments{}" and "47.105.153.104.judgments{}", what can I do if I want to stats the two judgments to one field?</P> Sat, 02 Jul 2022 03:10:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604213#M210165 zhenqi 2022-07-02T03:10:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604220#M210168 <P>Not sure what you mean by "stats the two judgments to one field, but you can combine them as a single multi-value field like this</P><LI-CODE lang="markup">| spath | spath input=data | fields *.judgments{} | foreach *.judgments{} [| eval judgments=if(isnull(judgments),'&lt;&lt;FIELD&gt;&gt;',mvappend(judgments,'&lt;&lt;FIELD&gt;&gt;'))]</LI-CODE> Sat, 02 Jul 2022 07:20:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604220#M210168 ITWhisperer 2022-07-02T07:20:01Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604221#M210169 <P>thanks ! I solved the problem by modifying json format,your answer helps me a lot</P> Sat, 02 Jul 2022 07:24:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-mutiple-value-from-json/m-p/604221#M210169 zhenqi 2022-07-02T07:24:26Z