Solved: Json object key value differences as output

vikashumble

Hello All,

I have a use case where in need to compare two json objects and highlight their key value differences. This is just to ensure that we can let OSC know only about the changes that has been made rather than sending both old and new json as as alert. Is that doable? I tried using foreach, spath, mvexpand but not able to figure out a proper working solution. Any help on this is much appreciated.

Json1:

{
"id": "XXXXX",
"displayName": "ANY DISPLAY NAME",
"createdDateTime": "2021-10-05T07:01:58.275401+00:00",
"modifiedDateTime": "2025-02-05T10:30:40.0351794+00:00",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"YYYYY"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"USERGROUP1",
"USERGROUP2"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": []
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
},
"sessionControls": {
"cloudAppSecurity": {
"cloudAppSecurityType": "monitor",
"isEnabled": true
},
"signInFrequency": {
"value": 1,
"type": "hours",
"authenticationType": "primaryAndSecondaryAuthentication",
"frequencyInterval": "timeBased",
"isEnabled": true
}
}
}

json2:

{
"id": "XXXXX",
"displayName": "ANY DISPLAY NAME 1",
"createdDateTime": "2021-10-05T07:01:58.275401+00:00",
"modifiedDateTime": "2025-02-06T10:30:40.0351794+00:00",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"YYYYY"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"USERGROUP1",
"USERGROUP2",

"USERGROUP3"
],
"excludeGroups": [

"USERGROUP4"

],
"includeRoles": [],
"excludeRoles": []
},
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": []
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
},
"sessionControls": {
"cloudAppSecurity": {
"cloudAppSecurityType": "block",
"isEnabled": true
},
"signInFrequency": {
"value": 2,
"type": "hours",
"authenticationType": "primaryAndSecondaryAuthentication",
"frequencyInterval": "timeBased",
"isEnabled": true
}
}
}

Output expected (Based on above sample jsons):

KeyName , Old Value, New Value

displayName, "ANY DISPLAY NAME", "ANY DISPLAY NAME 1"

modifiedDateTime, "2025-02-05T10:30:40.0351794+00:00", "2025-02-06T10:30:40.0351794+00:00"

users."includeGroups", ["USERGROUP1","USERGROUP2"], ["USERGROUP1","USERGROUP2", "USERGROUP3"]

"excludeGroups",[],["USERGROUP4"]

sessionControls."cloudAppSecurityType","moitor","block"

signInFrequency."value",1,2

Thanks

ITWhisperer

Try something along these lines

| makeresults format=json data="[{
	\"id\": \"XXXXXX\",
	\"category\": \"ABCD\",
	\"correlationId\": \"exxxxxx0\",
	\"result\": \"success\",
	\"resultReason\": null,
	\"activityDisplayName\": \"update something\",
	\"activityDateTime\": \"2025-02-13T10:00:54.007809Z\",
	\"loggedByService\": \"XXXX\",
	\"operationType\": \"Update\",
	\"targetResources\": [
		{
			\"id\": \"XXXX\",
			\"displayName\": \"DISPLAYNAME\",
			\"type\": \"ABCD\",
			\"userPrincipalName\": null,
			\"groupType\": null,
			\"modifiedProperties\": [
				{
					\"displayName\": \"abcd\",
					\"oldValue\": \"{\\\"id\\\":\\\"1234\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-05T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"YYYY\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[\\\"USERACTION1\\\"],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[\\\"USERGROUP1\\\",\\\"USERGROUP2\\\"],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":2,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\",
					\"newValue\": \"{\\\"id\\\":\\\"12345\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME 1\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-06T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"AABB\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[\\\"All\\\"],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":1,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\"
				}
			]
		}
	],
	\"additionalDetails\": [
		{
			\"key\": \"Category\",
			\"value\": \"ANY CATEGORY\"
		}
	]
}]" 
| fields _raw 
| spath targetResources{}.modifiedProperties{} output=modifiedProperties
| fields - _raw
| spath input=modifiedProperties
| eval newValueString="{\"newValueObject\":".newValue."]"
| spath input=newValueString
| foreach newValueObject.*
    [| eval _value=json_extract(oldValue,"<<MATCHSTR>>")
    | eval _KeyName=if('<<FIELD>>'=_value,null(),"<<MATCHSTR>>")
    | eval mismatch=if(isnotnull(_KeyName),if(isnotnull(mismatch),mvappend(mismatch,_KeyName."|"._value."|".'<<FIELD>>'),_KeyName."|"._value."|".'<<FIELD>>'),mismatch)]
| fields - newValueObject.* newValueString _value _KeyName

You should end up with a multi-value field with pipe delimited values for key, old value, new value

View solution in original post

yuanliu

Thank you for illustrating the use case clearly with sample data, logic, and expected result from sample. But you also want to specify if Json1 and json2 are in the same row/event. Here is a solution if they are.

| table Json1 json2
| transpose 0 column_name=name
| spath input="row 1"

| fields - "row 1"
| foreach *{}
    [eval <<MATCHSTR>>_array = mv_to_json_array('<<FIELD>>')]
| fillnull value=null
| fields - *{}
| stats list(*) as *
| foreach *
    [eval "<<FIELD>>" = if(mvcount(mvdedup('<<FIELD>>')) < 2, null(), '<<FIELD>>')]

| transpose 0 column_name=KeyName
| search "row 1" = *
| eval KeyName = if(KeyName LIKE "%_array", replace(KeyName, "_array$", "{}"), KeyName)
| eval "Old Value" = mvindex('row 1', 0), "New Value" = mvindex('row 1', 1)
| fields - "row 1"
| foreach *Value
    [eval <<FIELD>> = if('<<FIELD>>' != "null", '<<FIELD>>',
    if(KeyName LIKE "%{}", "[]", null()))]

Here is an emulation you can play with and compare with real data.

| makeresults
| fields - _time
| eval Json1 = "{
\"id\": \"XXXXX\",
\"displayName\": \"ANY DISPLAY NAME\",
\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",
\"modifiedDateTime\": \"2025-02-05T10:30:40.0351794+00:00\",
\"state\": \"enabled\",
\"conditions\": {
\"applications\": {
\"includeApplications\": [
\"YYYYY\"
],
\"excludeApplications\": [],
\"includeUserActions\": [],
\"includeAuthenticationContextClassReferences\": [],
\"applicationFilter\": null
},
\"users\": {
\"includeUsers\": [],
\"excludeUsers\": [],
\"includeGroups\": [
\"USERGROUP1\",
\"USERGROUP2\"
],
\"excludeGroups\": [],
\"includeRoles\": [],
\"excludeRoles\": []
},
\"userRiskLevels\": [],
\"signInRiskLevels\": [],
\"clientAppTypes\": [
\"all\"
],
\"servicePrincipalRiskLevels\": []
},
\"grantControls\": {
\"operator\": \"OR\",
\"builtInControls\": [
\"mfa\"
],
\"customAuthenticationFactors\": [],
\"termsOfUse\": []
},
\"sessionControls\": {
\"cloudAppSecurity\": {
\"cloudAppSecurityType\": \"monitor\",
\"isEnabled\": true
},
\"signInFrequency\": {
\"value\": 1,
\"type\": \"hours\",
\"authenticationType\": \"primaryAndSecondaryAuthentication\",
\"frequencyInterval\": \"timeBased\",
\"isEnabled\": true
}
}
}",
json2 = "{
\"id\": \"XXXXX\",
\"displayName\": \"ANY DISPLAY NAME 1\",
\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",
\"modifiedDateTime\": \"2025-02-06T10:30:40.0351794+00:00\",
\"state\": \"enabled\",
\"conditions\": {
\"applications\": {
\"includeApplications\": [
\"YYYYY\"
],
\"excludeApplications\": [],
\"includeUserActions\": [],
\"includeAuthenticationContextClassReferences\": [],
\"applicationFilter\": null
},
\"users\": {
\"includeUsers\": [],
\"excludeUsers\": [],
\"includeGroups\": [
\"USERGROUP1\",
\"USERGROUP2\",

\"USERGROUP3\"
],
\"excludeGroups\": [

\"USERGROUP4\"

],
\"includeRoles\": [],
\"excludeRoles\": []
},
\"userRiskLevels\": [],
\"signInRiskLevels\": [],
\"clientAppTypes\": [
\"all\"
],
\"servicePrincipalRiskLevels\": []
},
\"grantControls\": {
\"operator\": \"OR\",
\"builtInControls\": [
\"mfa\"
],
\"customAuthenticationFactors\": [],
\"termsOfUse\": []
},
\"sessionControls\": {
\"cloudAppSecurity\": {
\"cloudAppSecurityType\": \"block\",
\"isEnabled\": true
},
\"signInFrequency\": {
\"value\": 2,
\"type\": \"hours\",
\"authenticationType\": \"primaryAndSecondaryAuthentication\",
\"frequencyInterval\": \"timeBased\",
\"isEnabled\": true
}
}
}"
``` data emulation above ```

The above search gives

KeyName	New Value	Old Value
conditions.users.excludeGroups{}	["USERGROUP4"]	[]
conditions.users.includeGroups{}	["USERGROUP1","USERGROUP2","USERGROUP3"]	["USERGROUP1","USERGROUP2"]
displayName	ANY DISPLAY NAME 1	ANY DISPLAY NAME
modifiedDateTime	2025-02-06T10:30:40.0351794+00:00	2025-02-05T10:30:40.0351794+00:00
name	json2	Json1
sessionControls.cloudAppSecurity.cloudAppSecurityType	block	monitor
sessionControls.signInFrequency.value	2	1

For the life of me I cannot figure where does ModifiedDateTime differ. They look identical to me.
We can go more semantic with SPL but as you want the {} notation intact, this is perhaps the most direct.

livehybrid

hi @vikashumble

Let us know how you get on with the link I posted in my previous reply, or the suggestion from @ITWhisperer and then we can help tweak from there depending on the results 🙂

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

vikashumble

Hello @livehybrid

I am trying the solutions on the link provided by you. They are not working as it is as they compare the key rather than values and I am looking to compare the values and get the differences. I am trying to tweak them to see how can I do that. And yes, once I have the solution, I will add karma points and accept a solution as an answer. 🙂

Thanks

kiran_panchavat

@vikashumble

| makeresults 
| eval json1="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-05T10:30:40.0351794+00:00\",\"state\": \"enabled\",\"conditions\": {\"applications\": {\"includeApplications\": [\"YYYYY\"],\"excludeApplications\": [],\"includeUserActions\": [],\"includeAuthenticationContextClassReferences\": [],\"applicationFilter\": null},\"users\": {\"includeUsers\": [],\"excludeUsers\": [],\"includeGroups\": [\"USERGROUP1\", \"USERGROUP2\"],\"excludeGroups\": [],\"includeRoles\": [],\"excludeRoles\": []},\"userRiskLevels\": [],\"signInRiskLevels\": [],\"clientAppTypes\": [\"all\"],\"servicePrincipalRiskLevels\": []},\"grantControls\": {\"operator\": \"OR\",\"builtInControls\": [\"mfa\"],\"customAuthenticationFactors\": [],\"termsOfUse\": []},\"sessionControls\": {\"cloudAppSecurity\": {\"cloudAppSecurityType\": \"monitor\",\"isEnabled\": true},\"signInFrequency\": {\"value\": 1,\"type\": \"hours\",\"authenticationType\": \"primaryAndSecondaryAuthentication\",\"frequencyInterval\": \"timeBased\",\"isEnabled\": true}}}"
| eval json2="{\"id\": \"XXXXX\",\"displayName\": \"ANY DISPLAY NAME 1\",\"createdDateTime\": \"2021-10-05T07:01:58.275401+00:00\",\"modifiedDateTime\": \"2025-02-06T10:30:40.0351794+00:00\",\"state\": \"enabled\",\"conditions\": {\"applications\": {\"includeApplications\": [\"YYYYY\"],\"excludeApplications\": [],\"includeUserActions\": [],\"includeAuthenticationContextClassReferences\": [],\"applicationFilter\": null},\"users\": {\"includeUsers\": [],\"excludeUsers\": [],\"includeGroups\": [\"USERGROUP1\", \"USERGROUP2\", \"USERGROUP3\"],\"excludeGroups\": [\"USERGROUP4\"],\"includeRoles\": [],\"excludeRoles\": []},\"userRiskLevels\": [],\"signInRiskLevels\": [],\"clientAppTypes\": [\"all\"],\"servicePrincipalRiskLevels\": []},\"grantControls\": {\"operator\": \"OR\",\"builtInControls\": [\"mfa\"],\"customAuthenticationFactors\": [],\"termsOfUse\": []},\"sessionControls\": {\"cloudAppSecurity\": {\"cloudAppSecurityType\": \"block\",\"isEnabled\": true},\"signInFrequency\": {\"value\": 2,\"type\": \"hours\",\"authenticationType\": \"primaryAndSecondaryAuthentication\",\"frequencyInterval\": \"timeBased\",\"isEnabled\": true}}}"
| spath input=json1 path="displayName" output=displayName_old
| spath input=json2 path="displayName" output=displayName_new
| spath input=json1 path="modifiedDateTime" output=modifiedDateTime_old
| spath input=json2 path="modifiedDateTime" output=modifiedDateTime_new
| spath input=json1 path="conditions.users.includeGroups{}" output=includeGroups_old
| spath input=json2 path="conditions.users.includeGroups{}" output=includeGroups_new
| spath input=json1 path="conditions.users.excludeGroups{}" output=excludeGroups_old
| spath input=json2 path="conditions.users.excludeGroups{}" output=excludeGroups_new
| spath input=json1 path="sessionControls.cloudAppSecurity.cloudAppSecurityType" output=cloudAppSecurityType_old
| spath input=json2 path="sessionControls.cloudAppSecurity.cloudAppSecurityType" output=cloudAppSecurityType_new
| spath input=json1 path="sessionControls.signInFrequency.value" output=signInFrequencyValue_old
| spath input=json2 path="sessionControls.signInFrequency.value" output=signInFrequencyValue_new
| eval changes=mvappend(
if(displayName_old!=displayName_new, "displayName, ".displayName_old.", ".displayName_new, null()),
if(modifiedDateTime_old!=modifiedDateTime_new, "modifiedDateTime, ".modifiedDateTime_old.", ".modifiedDateTime_new, null()),
if(includeGroups_old!=includeGroups_new, "users.includeGroups, ".includeGroups_old.", ".includeGroups_new, null()),
if(excludeGroups_old!=excludeGroups_new, "users.excludeGroups, ".excludeGroups_old.", ".excludeGroups_new, null()),
if(cloudAppSecurityType_old!=cloudAppSecurityType_new, "sessionControls.cloudAppSecurityType, ".cloudAppSecurityType_old.", ".cloudAppSecurityType_new, null()),
if(signInFrequencyValue_old!=signInFrequencyValue_new, "signInFrequency.value, ".signInFrequencyValue_old.", ".signInFrequencyValue_new, null())
)
| mvexpand changes
| rex field=changes "(?<key>[^,]+), (?<old_value>[^,]+), (?<new_value>.+)"
| table key, old_value, new_value

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

vikashumble

Hello @kiran_panchavat

This does work if I the changed values are only in the fields I deleberatley changed values from. In other words, displayName, modifiedDateTime etc. BUt what I am looking for is if values are changed in any of this json object (say some events have changed values in id or something else). I think that would not be captured by your query (I have tested that). Hence I cannot accept this as a solution as of now

ITWhisperer

Assuming your fields have already been extracted, try something like this

| transpose 0 column_name="KeyName"
| rename "row 1" as OldValue, "row 2" as NewValue
| eval diff=if(OldValue!=NewValue,1,null())
| where diff=1

vikashumble

Hey @ITWhisperer , Can you please guide me a bit more on what you meant may be by a simpler example? It would help a lot. Also I forgot to mention that it is coming from the same event

Thanks

ITWhisperer

Please post your raw event in a code block using the </> button so we can see what you are dealing with and be able to provide further guidance.

vikashumble

Hello @ITWhisperer , below is the sample event. I am looking to compare "targetResources.modifiedProperties.oldValue" VS "targetResources.modifiedProperties.newValue". And if there are differences, then output the keyname, old value and new value. Hope this makes sense and apologies for confusion before

{
	"id": "XXXXXX",
	"category": "ABCD",
	"correlationId": "exxxxxx0",
	"result": "success",
	"resultReason": null,
	"activityDisplayName": "update something",
	"activityDateTime": "2025-02-13T10:00:54.007809Z",
	"loggedByService": "XXXX",
	"operationType": "Update",
	"targetResources": [
		{
			"id": "XXXX",
			"displayName": "DISPLAYNAME",
			"type": "ABCD",
			"userPrincipalName": null,
			"groupType": null,
			"modifiedProperties": [
				{
					"displayName": "abcd",
					"oldValue": "{\"id\":\"1234\",\"displayName\":\"ANY DISPLAY NAME\",\"createdDateTime\":\"2022-10-05T10:01:58.275401+00:00\",\"modifiedDateTime\":\"2025-02-05T10:30:40.0351794+00:00\",\"state\":\"enabled\",\"conditions\":{\"applications\":{\"includeApplications\":[\"YYYY\"],\"excludeApplications\":[],\"includeUserActions\":[\"USERACTION1\"],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[],\"excludeUsers\":[],\"includeGroups\":[\"USERGROUP1\",\"USERGROUP2\"],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[]},\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[]},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[]},\"sessionControls\":{\"cloudAppSecurity\":{\"cloudAppSecurityType\":\"monitorOnly\",\"isEnabled\":true},\"signInFrequency\":{\"value\":2,\"type\":\"hours\",\"authenticationType\":\"primaryAndSecondaryAuthentication\",\"frequencyInterval\":\"timeBased\",\"isEnabled\":true}}}",
					"newValue": "{\"id\":\"12345\",\"displayName\":\"ANY DISPLAY NAME 1\",\"createdDateTime\":\"2022-10-05T10:01:58.275401+00:00\",\"modifiedDateTime\":\"2025-02-06T10:30:40.0351794+00:00\",\"state\":\"enabled\",\"conditions\":{\"applications\":{\"includeApplications\":[\"AABB\"],\"excludeApplications\":[],\"includeUserActions\":[],\"includeAuthenticationContextClassReferences\":[],\"applicationFilter\":null},\"users\":{\"includeUsers\":[\"All\"],\"excludeUsers\":[],\"includeGroups\":[],\"excludeGroups\":[],\"includeRoles\":[],\"excludeRoles\":[]},\"userRiskLevels\":[],\"signInRiskLevels\":[],\"clientAppTypes\":[\"all\"],\"servicePrincipalRiskLevels\":[]},\"grantControls\":{\"operator\":\"OR\",\"builtInControls\":[\"mfa\"],\"customAuthenticationFactors\":[],\"termsOfUse\":[]},\"sessionControls\":{\"cloudAppSecurity\":{\"cloudAppSecurityType\":\"monitorOnly\",\"isEnabled\":true},\"signInFrequency\":{\"value\":1,\"type\":\"hours\",\"authenticationType\":\"primaryAndSecondaryAuthentication\",\"frequencyInterval\":\"timeBased\",\"isEnabled\":true}}}"
				}
			]
		}
	],
	"additionalDetails": [
		{
			"key": "Category",
			"value": "ANY CATEGORY"
		}
	]
}@

ITWhisperer

Try something along these lines

| makeresults format=json data="[{
	\"id\": \"XXXXXX\",
	\"category\": \"ABCD\",
	\"correlationId\": \"exxxxxx0\",
	\"result\": \"success\",
	\"resultReason\": null,
	\"activityDisplayName\": \"update something\",
	\"activityDateTime\": \"2025-02-13T10:00:54.007809Z\",
	\"loggedByService\": \"XXXX\",
	\"operationType\": \"Update\",
	\"targetResources\": [
		{
			\"id\": \"XXXX\",
			\"displayName\": \"DISPLAYNAME\",
			\"type\": \"ABCD\",
			\"userPrincipalName\": null,
			\"groupType\": null,
			\"modifiedProperties\": [
				{
					\"displayName\": \"abcd\",
					\"oldValue\": \"{\\\"id\\\":\\\"1234\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-05T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"YYYY\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[\\\"USERACTION1\\\"],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[\\\"USERGROUP1\\\",\\\"USERGROUP2\\\"],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":2,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\",
					\"newValue\": \"{\\\"id\\\":\\\"12345\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME 1\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-06T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"AABB\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[\\\"All\\\"],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":1,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\"
				}
			]
		}
	],
	\"additionalDetails\": [
		{
			\"key\": \"Category\",
			\"value\": \"ANY CATEGORY\"
		}
	]
}]" 
| fields _raw 
| spath targetResources{}.modifiedProperties{} output=modifiedProperties
| fields - _raw
| spath input=modifiedProperties
| eval newValueString="{\"newValueObject\":".newValue."]"
| spath input=newValueString
| foreach newValueObject.*
    [| eval _value=json_extract(oldValue,"<<MATCHSTR>>")
    | eval _KeyName=if('<<FIELD>>'=_value,null(),"<<MATCHSTR>>")
    | eval mismatch=if(isnotnull(_KeyName),if(isnotnull(mismatch),mvappend(mismatch,_KeyName."|"._value."|".'<<FIELD>>'),_KeyName."|"._value."|".'<<FIELD>>'),mismatch)]
| fields - newValueObject.* newValueString _value _KeyName

You should end up with a multi-value field with pipe delimited values for key, old value, new value

livehybrid

Hi @vikashumble

I think this solution on another question might work for you, instead of me copying it over, check out https://community.splunk.com/t5/Dashboards-Visualizations/How-to-find-and-show-unique-and-missing-ke... so you can get the full context.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Json object key value differences as output

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)