Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel: | makeresults
| eval request="REQUEST=\"{...
See more...
Hi @splunk6, The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you. To get all the matches of Channel: | makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex max_match=0 field=request "\,\"Channel\"\:\"(?<Channel>.+?)\"" To get only one result for the channel (the first one) by search: | makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex field=request "\,\"Channel\"\:\"(?<Channel>.+?)\"" Note: It's import to mention that I created the request field to add your REQUEST field value into the | makeresults, ok? In your code, you should use only the rex field=REQUEST with or without max_match=0. I hope it helps you. Happy splunking!