An easier, and perhaps more semantic method is to use JSON functions introduced in 8.1 to restructure data. (As we have seen before, you have developers who overload JSON's key name to convey data, w...
See more...
An easier, and perhaps more semantic method is to use JSON functions introduced in 8.1 to restructure data. (As we have seen before, you have developers who overload JSON's key name to convey data, which is never a good thing. If you have any influence on them, maybe ask them to change structure before it reaches data consumer.) With the data you illustrated, Splunk would have given you fields like key1.field1, key2.field2. Iterate over them using foreach. | foreach *.*
[eval temp = json_object(), temp = json_set(temp, "Name A", "<<MATCHSEG1>>", "Name B", "<<MATCHSEG2>>", "Value", '<<FIELD>>'),
reformat = mvappend(reformat, temp)]
| mvexpand reformat
| spath input=reformat
| fields - _* key* temp Your example results in Name A Name B Value reformat key1 field1 x {"Name A":"key1","Name B":"field1","Value":"x"} key2 field2 xx {"Name A":"key2","Name B":"field2","Value":"xx"} key3 field3 xxx {"Name A":"key3","Name B":"field3","Value":"xxx"} Here is an emulation you can play with and compare with real data | makeresults
| eval _raw="{
\"key1\": {
\"field1\": \"x\"
},
\"key2\": {
\"field2\": \"xx\"
},
\"key3\": {
\"field3\": \"xxx\"
}
}"
| spath
``` data emulation above ```