Hi Team,
First Event where i need to retrieve the uniqObjectIds

{"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"uniqObjectIds":["275649"],"uniqObjectIdsCount":1,"msg":"unique objectIds","time":"","v":0}

below is one event where i want the fields objecttype,objectids,version to retrieve

	
{"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"eventBody":{"objectType":"material","objectIds":["275649"],"version":"latest"},"msg":"request body","time":"2023-11-06T22:48:03.330Z","v":0}

Wanted to retrieve above two events data in the below query

index="" source IN ("") | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)"|where objectType="material" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount | sort _time desc

Since this is JSON, if you haven't already ingested it as JSON, you can extract the fields with the spath command

| spath
| spath input=eventBody

Hi @ITWhisperer 
THANKS for the above query which worked to get the data from that json in a table form.but data are displayed as duplicate/doble

index="" source IN ("") "request body"| spath
| spath input=eventBody,eventBody.objectIds{}

Your sample events didn't have duplicates in. Please share some representative unformatted events and explain what your expected results would be from those events.

Thanks @ITWhisperer the above spath query which worked and was able to form a table view without duplicate.
How can i combine two events results in a single row rather than display in two rows ,there is no common key to do stats by it has same source and index only the msg. is different
1.Currently uniqObjectIds,uniqueRetrievedIds are displayed in two rows in a table view,wanted as a single row
2.How to combine multiple event in a single query if there is no common key
.

index= ""    source IN ("")  "uniqObjectIds"  OR "data retrieved for Ids"
 | spath output=uniqObjectIds path=uniqObjectIds{}  | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{} |  eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | eval split_field= split(_raw, "Z\"}") | mvexpand split_field | rex field=split_field "objectIdsCount=(?<objectIdsCount>[^,]+)" | rex field=split_field "uniqObjectIdsCount=(?<uniqObjectIdsCount>[^,]+)" | rex field=split_field "recordsCount=(?<recordsCount>[^,]+)" | rex field=split_field "sqsSentCount=(?<sqsSentCount>[^,]+)" | table_time,PST_TIME,objectType,objectIdsCount,uniqObjectIdsCount,recordsCount,sqsSentCount,uniqObjectIds,uniqueRetrievedIds | sort _time desc

Since these come from the same raw event(?) you could regather the fields with a stats command

| stats values(*) as * by _raw

You may need to add _raw to your list of fields in the table command or use another field which is unique to the original event, e.g. _time

thank you @ITWhisperer  Above solution worked