https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626672#M217817 <P>Here's an example that uses foreach to iterate through the keys/values within somefield.</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"some_field\": { \"key1\": 10, \"key2\": 20, \"key3\": 5, \"key4\": 77, \"key5\": 33, } }" | spath | foreach some_field.* [ | eval max=max('&lt;&lt;FIELD&gt;&gt;', max), max_field_key=if('&lt;&lt;FIELD&gt;&gt;'=max, "&lt;&lt;MATCHSTR&gt;&gt;", max_field_key) ]</LI-CODE><P>Note that if there are duplicate values, it will take the last field name as the max_field_key.</P><P>Anyway, hope this helps.</P><P>&nbsp;</P> Tue, 10 Jan 2023 22:56:12 GMT bowesmana 2023-01-10T22:56:12Z https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626669#M217815 <P>The event has a field:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript">{ ... some_field: { key1: value1 key2: value2 } ... }</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>How to iterate over the values of "some_field" field?</P><P>For example I need to get max value.</P><P>I need something like this:</P><P>... | eval filed_max_value=max(map_values(some_field))</P><P>For map_value I get error:&nbsp;<SPAN>Error in 'EvalCommand': The 'map_values' function is unsupported or undefined.</SPAN></P><P>Could you also explain how to use&nbsp;<A href="https://docs.splunk.com/Documentation/DSP/1.3.1/FunctionReference/Map#:~:text=some_value%22%5D%2C%20map%3A%20attributes)%20%7C...%3B-,map_values(input),-Returns%20a%20list" target="_self">map_keys and map_values functions</A>&nbsp;?</P> Tue, 10 Jan 2023 22:11:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626669#M217815 Evgenii 2023-01-10T22:11:28Z https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626672#M217817 <P>Here's an example that uses foreach to iterate through the keys/values within somefield.</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"some_field\": { \"key1\": 10, \"key2\": 20, \"key3\": 5, \"key4\": 77, \"key5\": 33, } }" | spath | foreach some_field.* [ | eval max=max('&lt;&lt;FIELD&gt;&gt;', max), max_field_key=if('&lt;&lt;FIELD&gt;&gt;'=max, "&lt;&lt;MATCHSTR&gt;&gt;", max_field_key) ]</LI-CODE><P>Note that if there are duplicate values, it will take the last field name as the max_field_key.</P><P>Anyway, hope this helps.</P><P>&nbsp;</P> Tue, 10 Jan 2023 22:56:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626672#M217817 bowesmana 2023-01-10T22:56:12Z https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626673#M217818 <P>Also, those functions you reference are from DSP, not Splunk.&nbsp;</P> Tue, 10 Jan 2023 23:01:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626673#M217818 bowesmana 2023-01-10T23:01:15Z https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626844#M217855 <P>Magic with&nbsp;</P><LI-CODE lang="markup">spath | foreach some_field.*</LI-CODE><P>&nbsp;works.</P><P>Thanks a lot!</P> Wed, 11 Jan 2023 19:42:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-iterate-over-the-values-of-a-complex-field/m-p/626844#M217855 Evgenii 2023-01-11T19:42:26Z