https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642068#M222414 <P>&nbsp;</P><P>I am trying to get the values from one json object using the keys from another json array. &nbsp;</P><P>&nbsp;</P><P>| makeresults<BR />| eval limits=json_object("process1", json_array(123), "process2", json_array(234), "process3", json_array(0.12)), total=0<BR />| eval processes = json_array("process1", "process2")<BR />| eval new_data_limits = json_object()<BR />| foreach processes<BR />[ | eval new_data_limits = json_set(new_data_limits, &lt;&lt;FIELD&gt;&gt;, json_extract(limits, &lt;&lt;FIELD&gt;&gt;))]</P><P>&nbsp;</P><P>1) How do I capture the limits into the new_data_limits array?</P><P>2)&nbsp;If there's multiple events similar to 'limits', how do I get the average of similar process? (i.e "process1", "process2")</P><P>&nbsp;</P><P>TIA....</P> Tue, 02 May 2023 21:25:20 GMT GaryZ 2023-05-02T21:25:20Z https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642068#M222414 <P>&nbsp;</P><P>I am trying to get the values from one json object using the keys from another json array. &nbsp;</P><P>&nbsp;</P><P>| makeresults<BR />| eval limits=json_object("process1", json_array(123), "process2", json_array(234), "process3", json_array(0.12)), total=0<BR />| eval processes = json_array("process1", "process2")<BR />| eval new_data_limits = json_object()<BR />| foreach processes<BR />[ | eval new_data_limits = json_set(new_data_limits, &lt;&lt;FIELD&gt;&gt;, json_extract(limits, &lt;&lt;FIELD&gt;&gt;))]</P><P>&nbsp;</P><P>1) How do I capture the limits into the new_data_limits array?</P><P>2)&nbsp;If there's multiple events similar to 'limits', how do I get the average of similar process? (i.e "process1", "process2")</P><P>&nbsp;</P><P>TIA....</P> Tue, 02 May 2023 21:25:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642068#M222414 GaryZ 2023-05-02T21:25:20Z https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642075#M222417 <P>| makeresults<BR />| eval limits=json_object("process1", json_array(123), "process2", json_array(234), "process3", json_array(0.12)), total=0<BR />| eval processes = json_array("process1", "process2")<BR />| eval new_data_limits = json_object()<BR />| foreach processes<BR />[ | eval key = tostring(&lt;&lt;FIELD&gt;&gt;), value = json_extract(limits, key), new_data_limits = if(isnull(new_data_limits), json_object(key, value), json_set(new_data_limits, key, value)) ]<BR /><BR />get average&nbsp;<BR /><BR />base search | stats avg(*) as * by process1, process2</P><P>&nbsp;</P> Tue, 02 May 2023 22:25:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642075#M222417 abi2023 2023-05-02T22:25:04Z https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642080#M222420 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256053">@abi2023</a>&nbsp;</P><P>&nbsp;</P><P>I understand your code, and I believe that it should work. &nbsp;however when I run the search, I get the following.</P><P>I don't see new_data_limits capturing the limit values. &nbsp;I've tried rerunning the search, and have also stepped through it without the foreach loop. &nbsp;I do see the results. &nbsp;However when it's used in the foreach loop, the limits values aren't in the new_data_limits variable.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GaryZ_1-1683068282273.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25193iB88C7CCFA76486AA/image-size/medium?v=v2&amp;px=400" role="button" title="GaryZ_1-1683068282273.png" alt="GaryZ_1-1683068282273.png" /></span></P><P>&nbsp;</P> Tue, 02 May 2023 22:59:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642080#M222420 GaryZ 2023-05-02T22:59:59Z https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642098#M222425 <P>By default, foreach uses <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach#Optional_arguments" target="_blank" rel="noopener">multifield mode</A>. &nbsp;What you need is its json_array mode. &nbsp;(If you have Splunk 9, that is. &nbsp;Before Splunk 9, foreach only has multifield mode.)</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval limits=json_object("process1", json_array(123), "process2", json_array(234), "process3", json_array(0.12)), total=0 | eval processes = json_array("process1", "process2") | eval new_data_limits = json_object() | foreach processes mode=json_array [ | eval new_data_limits = json_set(new_data_limits, &lt;&lt;ITEM&gt;&gt;, json_extract(limits, &lt;&lt;ITEM&gt;&gt;))]</LI-CODE><P>&nbsp;</P><P>To get average, on the other hand, I would lose that JSON array for processes because you need separate columns.</P><LI-CODE lang="markup">| makeresults | eval limits=mvappend(json_object("process1", json_array(123), "process2", json_array(234), "process3", json_array(0.12)), json_object("process1", json_array(345), "process2", json_array(678), "process3", json_array(0.12))), total=0 | mvexpand limits ```data emulation above``` | foreach process1 process2 [ eval new_&lt;&lt;FIELD&gt;&gt;_limit = json_array_to_mv(json_extract(limits, "&lt;&lt;FIELD&gt;&gt;"))] | stats sum(total) as total avg(*) as *</LI-CODE> Wed, 03 May 2023 06:35:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-foreach-to-extract-value-from-another-json-object/m-p/642098#M222425 yuanliu 2023-05-03T06:35:53Z