https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654295#M226085 <P>mvindex wouldn't do anything to single valued&nbsp;fields.id1,&nbsp;fields.id3, etc. &nbsp;To limit fields of interest, use&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields" target="_blank" rel="noopener">fields</A>&nbsp;command.</P><LI-CODE lang="markup">| fields fields.id1 fields.id3</LI-CODE><P>If you only want to display these fields in statistics tab, use&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table" target="_blank" rel="noopener">table</A>&nbsp;command.</P> Mon, 14 Aug 2023 17:00:02 GMT yuanliu 2023-08-14T17:00:02Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654286#M226081 <P>I have a JSON event like this:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{ ...otherfields..., "fields": { "id1": 123, "id2": 456, "id3": 789, ... }, ...otherfields... }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;I want to extract some key-value pairs from the "fields" object, i.e., I want to see the extracted fields in the "interesting fields" section.</P> <P>For example, if I only want to extract id1 and id3, I should use&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">eval new_id1 = mvindex(fields.id1, 0) eval new_id3 = mvindex(fields.id3, 0)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;, right? Or is there another efficient way but not to use Foreach? I am new to the Splunk syntax so would appreciate any help.&nbsp;</P> Mon, 14 Aug 2023 17:45:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654286#M226081 itnewbie 2023-08-14T17:45:19Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654287#M226082 <P>Try something like this</P><LI-CODE lang="markup">| spath fields.id1 output="new_id1" | spath fields.id3 output="new_id3"</LI-CODE><P>N.B. The spath command is built for extracting fields from JSON (and XML) structured data.</P> Mon, 14 Aug 2023 14:59:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654287#M226082 ITWhisperer 2023-08-14T14:59:44Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654295#M226085 <P>mvindex wouldn't do anything to single valued&nbsp;fields.id1,&nbsp;fields.id3, etc. &nbsp;To limit fields of interest, use&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fields" target="_blank" rel="noopener">fields</A>&nbsp;command.</P><LI-CODE lang="markup">| fields fields.id1 fields.id3</LI-CODE><P>If you only want to display these fields in statistics tab, use&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table" target="_blank" rel="noopener">table</A>&nbsp;command.</P> Mon, 14 Aug 2023 17:00:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-key-value-pair-from-json-object/m-p/654295#M226085 yuanliu 2023-08-14T17:00:02Z