@ dreddy123
Can you please try this?
YOUR_SEARCH | rename courses{}.course as courses_course | where isnull(courses_course)
My Sample Search:
| makeresults | eval _raw="{\"id\":\"studentNumber\",\"courses\":[{\"course\" : \"Analysis of Alg\"},{\"course\": \"game dev\"}]}" | append [ | makeresults | eval _raw="{\"id\":\"studentNumber\",\"courses\":[]}" ] |kv | rename courses{}.course as courses_course | where isnull(courses_course)
Thanks
