Hi all.  I'm trying to create a table from AWS WAF logs.  There is a section of the log that is called ruleGroupList{} and it is a list containing multiple dictionaries.  Sometimes there is field called "excludedRules" that is null.  When it is not null, it is a list containing a dictionary with a field called ruleId.

   ruleGroupList: [ [-]
     { [-]
       excludedRules: null
       nonTerminatingMatchingRules: [ [+]
       ]
       ruleGroupId: AWS#AWSManagedRulesBotControlRuleSet
       terminatingRule: null
     }
     { [-]
       excludedRules: [ [-]
         { [-]
           exclusionType: EXCLUDED_AS_COUNT
           ruleId: SizeRestrictions_BODY
         }
       ]
       nonTerminatingMatchingRules: [ [+]
       ]
       ruleGroupId: AWS#AWSManagedRulesCommonRuleSet
       terminatingRule: null
     }

In this case, I want to:

list the ruleGroupList{}.ruleGroupId and the ruleGroupList{}.excludedRules{}.ruleId in a table,
when ruleGroupList{}.excludedRules is not NULL. 

If it is NULL, then I don't want to display the values for that dictionary.  There are 7 dictionaries in this ruleGroupList{} (as long as I don't change my WAF settings in AWS).

This is my search:

<search> |
| spath input=ruleGroupList{} path=excludedRules
| rename ruleGroupList{}.ruleGroupId as ruleGroup, ruleGroupList{}.excludedRules{}.ruleId as ruleGroupId, ruleGroupList{}.excludedRules as testNullExcludedRules
| eval x=case(!isnull(testNullExcludedRules),mvzip(ruleGroup,ruleGroupId),isnull(testNullExcludedRules),x)
| mvexpand x
| eval x = split(x,",")
| eval ruleGroupId=case(!isnull(testNullExcludedRules),mvindex(x,1))
| eval ruleGroup=case(!isnull(testNullExcludedRules),mvindex(x,0))
| table _time,ruleGroup,ruleGroupId

This gives me the ruleGroupId correctly, but it always lists the first instance of the ruleGroup:

I can't figure out how to ignore the ruleGroup when it's corresponding excludedRules is NULL.

thanks for any help!

Kevin