@ITWhisperer is correct. You should not use regex with JSON which contains structured data. In fact, you also do not need spath with raw events because Splunk by default does that. So, you can use...
See more...
@ITWhisperer is correct. You should not use regex with JSON which contains structured data. In fact, you also do not need spath with raw events because Splunk by default does that. So, you can use untable directly. A more semantic implementation of your intentions is to use JSON functions introduced in 8.2: index=jenkins_artifact source="<path to json>/statistics.json"
| eval Transaction_type = json_keys(_raw)
| foreach mode=json_array Transaction_type
[eval jsonTrans = mvappend(jsonTrans, json_object("Transaction Name", <<ITEM>>, "pct2ResTime", json_extract(_raw, <<ITEM>> . ".pct2ResTime")))]
| fields - _raw Transaction*
| mvexpand jsonTrans
| spath input=jsonTrans
| fields - json* This is an emulation of your mock data: | makeresults
| eval _raw = "{
\"Transaction1\" : {
\"transaction\" : \"Transaction1\",
\"pct1ResTime\" : 3083.0,
\"pct2ResTime\" : 4198.0,
\"pct3ResTime\" : 47139.0
},
\"Transaction2\" : {
\"transaction\" : \"Transaction2\",
\"pct1ResTime\" : 1151.3000000000002,
\"pct2ResTime\" : 1318.8999999999996,
\"pct3ResTime\" : 6866.0
},
\"Transaction3\" : {
\"transaction\" : \"Transaction3\",
\"pct1ResTime\" : 342.40000000000003,
\"pct2ResTime\" : 451.49999999999983,
\"pct3ResTime\" : 712.5799999999997
}
}"
| spath
``` the above emulates
index=jenkins_artifact source="<path to json>/statistics.json"
``` Output is Transaction Name pct2ResTime Transaction1 4198 Transaction2 1318.8999999999996 Transaction3 451.49999999999983