(First off, please post sample data as text block, not screenshot.) You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand. spath is very useful h...
See more...
(First off, please post sample data as text block, not screenshot.) You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand. spath is very useful here. In 9.0, Splunk added a new command fromjson which is more convenient for your case. The following uses fromjson: | fromjson _raw
| mvexpand Policies
| fromjson Policies
| stats count by displayName result Your mock data gives displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1 This is an emulation of your mock data you can play with and compare with real data | makeresults
| eval _raw = "{\"SigninId\": \"some-id\",
\"Policies\": [
{
\"id\": \"1234\",
\"displayName\": \"Policy1\",
\"result\": \"success\"
},
{
\"id\": \"4353\",
\"displayName\": \"Policy2\",
\"result\": \"failure\"
},
{
\"id\": \"0093\",
\"displayName\": \"Policy3\",
\"result\": \"notApplied\"
}
]"