I dont know the complete path to the nested tags array but you can do something like this to target the value contained within the Contact Key in the MV json fields. Something like this.     <base_search> | eval tags_json=spath(_raw, "tags{}"), contact=case( mvcount(tags_json)==1, if(spath(tags_json, "Key")=="Contact", spath(tags_json, "Value"), null()), mvcount(tags_json)>1, mvmap(tags_json, if(spath(tags_json, "Key")=="Contact", spath(tags_json, "Value"), null())) ) | fields + _time, _raw, tags_json, contact     Below is a screenshot of an example on my local instance. First we extract all json objects from the tags array as a multivalued field named "tags_json". From there you can use the mvmap() function to loop through the multivalue field and check each entry to see if the Key field value of the json object is equal to "Contact". If it is, then we know this is the json object we want to target the extraction of the "Value" key from. So we do an Spath specificly on that object and store the returned value as a field named "contact". Option 2: Another route to take (depending on the structure of your event and if it make sense to do i this way). We can loop through each json object in the tags array and stuff the key/values into a temporary json object that we can then do a full spath against. This is a more exhaustive approach as apposed to the targeted one in the previous example. SPL to do this would look something like this. <base_search> | eval ``` extract array of json objects a multivalued field ``` tags_json=spath(_raw, "tags{}"), ``` initialize the temporary json object that will hold all the key/value pairs contained within the tags array ``` final_tag_json=json_object() ``` use the mode=multivalue foreach loop to loop through each entry in the multivalued field ``` | foreach mode=multivalue tags_json [ | eval ``` json_set() function will set up each Key/Value as a new key/value pair in the temporary json "final_tag_json" ``` final_tag_json=json_set(final_tag_json, spath('<<ITEM>>', "Key"), spath('<<ITEM>>', "Value")) ] | fields - tags_json ``` full spath against the final_tag_json field ``` | spath input=final_tag_json | fields - final_tag_json | fields + _time, _raw, Contact, Name You can see in this screenshot that not only is the "Contact" field extracted but "Name" value is extracted as well, this method would loop through each json array and extract a new Key/Value pair for each entry. Below is a screenshot showing what the temporary final_tag_json object looks like that we did the full spath against for context.  

It depends on your SaaS application. The add-on is the integration layer or "glue" between your application and Splunk. The add-on is a combination of the code you write, the configuration needed to parse events before they're indexed, and the configuration needed to search events after they're indexed. There's a good overview of the Splunk pipeline at https://docs.splunk.com/Documentation/Splunk/9.1.2/Deploy/Datapipeline; however, you don't necessarily need to know everything about Splunk to write an add-on. The code you write depends on your application. Do you have an API? If yes, your code would read or receive data from your API, break it into logical events, and write the events to Splunk using Splunk's API. When I write "read or receive," I'm implying that the add-on establishes a connection your application and polls an API for new data, waits for new data through a publisher/subscriber interface, or otherwise gets data from your application. It's up to you to determine how data is retrieved, how checkpoints are tracked, etc.