ResourceInfo: {
     ID: "58",
     User: "abc",
     NVM: { 
       a: "522523632",
       b: "80000000",
       c: "442523632",
       d: "14",
       .
       .

     },
     RAM: { [+]
     },
     ROM: { [+]
     }
     }

and for RAM ROM and NVM i want to get the specific data inside them.

component   Value

a                      522523632
b                      80000000
c                      442523632
d                        14        

.

.

.

I want to form a table like this for RAM ROM and NVM. And i do it like this. But sometimes i get a error message like field tmp does not exist, even there is data. So i want to avoid mvzip and get this data in some other way. is there way present to deal with JSON data?

| spath output=RAM ResourceInfo.RAM
| rex field=RAM max_match=0 "\"(?<component>[^\"]+)\":(?<Value>[\d\.]+)"
| eval tmp = mvzip(component,Value) 
| mvexpand tmp 
| eval component=mvindex(split(tmp,","),0) 
| eval Value=mvindex(split(tmp,","),1)
|table component Value

Try it this way around

| spath output=RAM ResourceInfo.RAM
| rex field=RAM max_match=0 "\"(?<tmp>[^\"]+\":[\d\.]+)"
| mvexpand tmp 
| rex field=tmp "(?<component>[^\"]+)\":(?<Value>[\d\.]+)"
| table component Value

This solution is working and im not seeing any warning message now.

How is this different from mvzip?

May i know why mvzip gives warning if the data is empty?

Perhaps if you can isolate the event or events which are generating the error, you might be able to determine this. However, my guess is that sometimes you end up with one or more nulls from the rex and this is what mvzip doesn't like.

Doing it this way around avoids using mvzip because the mvexpand is done before the fields are split up so the association across the row is maintained and doesn't need to be rebuilt with the mvzip