Try something along these lines | makeresults format=json data="[{
\"id\": \"XXXXXX\",
\"category\": \"ABCD\",
\"correlationId\": \"exxxxxx0\",
\"result\": \"success\",
\"resultReason\": null,
...
See more...
Try something along these lines | makeresults format=json data="[{
\"id\": \"XXXXXX\",
\"category\": \"ABCD\",
\"correlationId\": \"exxxxxx0\",
\"result\": \"success\",
\"resultReason\": null,
\"activityDisplayName\": \"update something\",
\"activityDateTime\": \"2025-02-13T10:00:54.007809Z\",
\"loggedByService\": \"XXXX\",
\"operationType\": \"Update\",
\"targetResources\": [
{
\"id\": \"XXXX\",
\"displayName\": \"DISPLAYNAME\",
\"type\": \"ABCD\",
\"userPrincipalName\": null,
\"groupType\": null,
\"modifiedProperties\": [
{
\"displayName\": \"abcd\",
\"oldValue\": \"{\\\"id\\\":\\\"1234\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-05T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"YYYY\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[\\\"USERACTION1\\\"],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[\\\"USERGROUP1\\\",\\\"USERGROUP2\\\"],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":2,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\",
\"newValue\": \"{\\\"id\\\":\\\"12345\\\",\\\"displayName\\\":\\\"ANY DISPLAY NAME 1\\\",\\\"createdDateTime\\\":\\\"2022-10-05T10:01:58.275401+00:00\\\",\\\"modifiedDateTime\\\":\\\"2025-02-06T10:30:40.0351794+00:00\\\",\\\"state\\\":\\\"enabled\\\",\\\"conditions\\\":{\\\"applications\\\":{\\\"includeApplications\\\":[\\\"AABB\\\"],\\\"excludeApplications\\\":[],\\\"includeUserActions\\\":[],\\\"includeAuthenticationContextClassReferences\\\":[],\\\"applicationFilter\\\":null},\\\"users\\\":{\\\"includeUsers\\\":[\\\"All\\\"],\\\"excludeUsers\\\":[],\\\"includeGroups\\\":[],\\\"excludeGroups\\\":[],\\\"includeRoles\\\":[],\\\"excludeRoles\\\":[]},\\\"userRiskLevels\\\":[],\\\"signInRiskLevels\\\":[],\\\"clientAppTypes\\\":[\\\"all\\\"],\\\"servicePrincipalRiskLevels\\\":[]},\\\"grantControls\\\":{\\\"operator\\\":\\\"OR\\\",\\\"builtInControls\\\":[\\\"mfa\\\"],\\\"customAuthenticationFactors\\\":[],\\\"termsOfUse\\\":[]},\\\"sessionControls\\\":{\\\"cloudAppSecurity\\\":{\\\"cloudAppSecurityType\\\":\\\"monitorOnly\\\",\\\"isEnabled\\\":true},\\\"signInFrequency\\\":{\\\"value\\\":1,\\\"type\\\":\\\"hours\\\",\\\"authenticationType\\\":\\\"primaryAndSecondaryAuthentication\\\",\\\"frequencyInterval\\\":\\\"timeBased\\\",\\\"isEnabled\\\":true}}}\"
}
]
}
],
\"additionalDetails\": [
{
\"key\": \"Category\",
\"value\": \"ANY CATEGORY\"
}
]
}]"
| fields _raw
| spath targetResources{}.modifiedProperties{} output=modifiedProperties
| fields - _raw
| spath input=modifiedProperties
| eval newValueString="{\"newValueObject\":".newValue."]"
| spath input=newValueString
| foreach newValueObject.*
[| eval _value=json_extract(oldValue,"<<MATCHSTR>>")
| eval _KeyName=if('<<FIELD>>'=_value,null(),"<<MATCHSTR>>")
| eval mismatch=if(isnotnull(_KeyName),if(isnotnull(mismatch),mvappend(mismatch,_KeyName."|"._value."|".'<<FIELD>>'),_KeyName."|"._value."|".'<<FIELD>>'),mismatch)]
| fields - newValueObject.* newValueString _value _KeyName You should end up with a multi-value field with pipe delimited values for key, old value, new value