https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749510#M242158 <P>I have an event that looks as follows:</P><LI-CODE lang="javascript">{ "app_name": "my_app", "audit_details": { "audit": { "responseContentLength": "-1", "name": "app_name", "details": { "detail": [{ "messageId": "-4", "time": "1752065281146", "ordinal": "0" }, { "messageId": "7103", "time": "1752065281146", "ordinal": "1" }, { "messageId": "7101", "time": "1752065281146", "ordinal": "2" } ] } } } }</LI-CODE><P>I want to create a table that includes a row for each detail record that includes the messageId, time and ordinal, but also a messageIdDescription that is retrieved from a lookup similar to as follows:<BR /><BR />lookup Table_MessageId message_Id as messageId OUTPUT definition as messageIdDescription<BR /><BR />the Table_MessageId has three columns - message_Id, definition, audit_Level<BR /><BR />Any pointers are appreciated.<BR /><BR /></P> Wed, 09 Jul 2025 14:50:40 GMT tomporterfield 2025-07-09T14:50:40Z https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749510#M242158 <P>I have an event that looks as follows:</P><LI-CODE lang="javascript">{ "app_name": "my_app", "audit_details": { "audit": { "responseContentLength": "-1", "name": "app_name", "details": { "detail": [{ "messageId": "-4", "time": "1752065281146", "ordinal": "0" }, { "messageId": "7103", "time": "1752065281146", "ordinal": "1" }, { "messageId": "7101", "time": "1752065281146", "ordinal": "2" } ] } } } }</LI-CODE><P>I want to create a table that includes a row for each detail record that includes the messageId, time and ordinal, but also a messageIdDescription that is retrieved from a lookup similar to as follows:<BR /><BR />lookup Table_MessageId message_Id as messageId OUTPUT definition as messageIdDescription<BR /><BR />the Table_MessageId has three columns - message_Id, definition, audit_Level<BR /><BR />Any pointers are appreciated.<BR /><BR /></P> Wed, 09 Jul 2025 14:50:40 GMT https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749510#M242158 tomporterfield 2025-07-09T14:50:40Z https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749512#M242160 <P>Use spath and mvexpand</P><LI-CODE lang="markup">| spath path=audit_details.audit.details.detail{} | mvexpand audit_details.audit.details.detail{} | spath input=audit_details.audit.details.detail{} | fields - audit_details.audit.details.detail{}*</LI-CODE><P>Your would give</P><TABLE width="743px"><TBODY><TR><TD>app_name</TD><TD>audit_details.audit.name</TD><TD>audit_details.audit.responseContentLength</TD><TD>messageId</TD><TD>ordinal</TD><TD>time</TD></TR><TR><TD width="69.40625px">my_app</TD><TD width="155.703125px">app_name</TD><TD width="268px">-1</TD><TD width="68.921875px">-4</TD><TD width="43.984375px">0</TD><TD width="136px">1752065281146</TD></TR><TR><TD width="69.40625px">my_app</TD><TD width="155.703125px">app_name</TD><TD width="268px">-1</TD><TD width="68.921875px">7103</TD><TD width="43.984375px">1</TD><TD width="136px">1752065281146</TD></TR><TR><TD width="69.40625px">my_app</TD><TD width="155.703125px">app_name</TD><TD width="268px">-1</TD><TD width="68.921875px">7101</TD><TD width="43.984375px">2</TD><TD width="136px">1752065281146</TD></TR></TBODY></TABLE><P>Here is an emulation for you to play with and compare with real data</P><LI-CODE lang="markup">| makeresults | fields - _time | eval _raw = "{ \"app_name\": \"my_app\", \"audit_details\": { \"audit\": { \"responseContentLength\": \"-1\", \"name\": \"app_name\", \"details\": { \"detail\": [{ \"messageId\": \"-4\", \"time\": \"1752065281146\", \"ordinal\": \"0\" }, { \"messageId\": \"7103\", \"time\": \"1752065281146\", \"ordinal\": \"1\" }, { \"messageId\": \"7101\", \"time\": \"1752065281146\", \"ordinal\": \"2\" } ] } } } }" | spath ``` data emulation above ```</LI-CODE> Wed, 09 Jul 2025 16:25:52 GMT https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749512#M242160 yuanliu 2025-07-09T16:25:52Z https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749528#M242164 <P>Thanks, let me give that a go in the overall solution, but it looks very promising.</P> Wed, 09 Jul 2025 19:22:00 GMT https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749528#M242164 tomporterfield 2025-07-09T19:22:00Z https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749726#M242220 <P>I was able to successfully get this working with the guidance, thanks.</P> Mon, 14 Jul 2025 11:30:46 GMT https://community.splunk.com/t5/Splunk-Search/Create-table-from-nested-array-of-json-objects-that-includes/m-p/749726#M242220 tomporterfield 2025-07-14T11:30:46Z