@arun_kant_sharma

Can you please try this?

YOUR_SEARCH  | spath path="{}." output=data | mvexpand data | eval _raw=data | spath | table day dayOfMonth month duration program sourceHost time user

Example:

| makeresults | eval _raw="[{\"day\": \"Tue\",\"dayOfMonth\": \"15\",\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"15:09 - 15:09\",\"user\": \"shaikh\" },{\"day\": \"Thu\",\"dayOfMonth\": \"3\",\"duration\": \"(00:00)\",\"month\": \"Oct\",\"program\": \"ssh:notty\",\"sourceHost\": \"ljp1gwd01.axa-di\",\"time\": \"16:33 - 16:33\",\"user\": \"shaikh\" } ]" | spath path="{}." output=data | mvexpand data | eval _raw=data | spath | table day dayOfMonth month duration program sourceHost time user