First, when illustrating structured data, please post compliant raw text. In your case, a compliant JSON should be {
"application": "app1",
"feature": "feature1",
"timestamp": "01/29/20...
See more...
First, when illustrating structured data, please post compliant raw text. In your case, a compliant JSON should be {
"application": "app1",
"feature": "feature1",
"timestamp": "01/29/2025 23:02:00 +0000",
"users": [
{
"userhost": "client1",
"username": "user1"
},
{
"userhost": "client2",
"username": "user2"
}
]
} The trick here is to reach into the JSON array to perform mvexpand and ignore Splunk's default flattening of array. | spath path=users{}
| mvexpand users{}
| spath input=users{} Your sample data will give application feature timestamp userhost username users{} app1 feature1 01/29/2025 23:02:00 +0000 client1 user1 { "userhost": "client1", "username": "user1" } app1 feature1 01/29/2025 23:02:00 +0000 client2 user2 { "userhost": "client2", "username": "user2" } Here is an emulation for you to play with and compare with real data | makeresults
| eval _raw = "{
\"application\": \"app1\",
\"feature\": \"feature1\",
\"timestamp\": \"01/29/2025 23:02:00 +0000\",
\"users\": [
{
\"userhost\": \"client1\",
\"username\": \"user1\"
},
{
\"userhost\": \"client2\",
\"username\": \"user2\"
}
]
}"
| spath
``` data emulation above ```