@anooshac Can you please try this? YOUR_SEARCH
| rex field=_raw mode=sed "s/(^.*\"Analysis Summary\"\: )//g" max_match=0
| rex field=_raw mode=sed "s/(,\"RAM_Tracking.*)//g" max_match=0
| rex field=_raw "\"(?<Database>[^\"]+)\": \{\"Available" max_match=0
| rex field=_raw ":\s?(?<Data>\{.+?})" max_match=0
| eval tmp = mvzip(Database,Data,"|")
| mvexpand tmp
| eval Database=mvindex(split(tmp,"|"),0), Data=mvindex(split(tmp,"|"),1)
| rex field=Data "{\"Available\"\:\s?\"(?<available>[^,]+)\",(\"Used\"\:\s?\"(?<used>[^,]+)\",)?\"Used\(%\)\"\:\s?\"(?<used_p>[^,]+)\",\"Status\"\:\s?\"(?<status>[^}]+)\"}"
| table Database available used used_p status My Sample Search : | makeresults
| eval _raw="{\"Info\": {\"Unit\": \"ABC\",\"Project\": \"XYZ\",\"Analysis Summary\": {\"DB1\": {\"Available\": \"1088kB\",\"Used\": \"173.23kB\",\"Used(%)\": \"15.92%\",\"Status\": \"OK\"},\"DB2\": {\"Available\": \"4096kB\",\"Used\": \"1591.85kB\",\"Used(%)\": \"38.86%\",\"Status\": \"OK\"},\"DB3\": {\"Available\": \"128kB\",\"Used(%)\": \"2.6%\",\"Status\": \"OK\"},\"DB4\": {\"Available\": \"16500kB\",\"Used\": \"6696.0\",\"Used(%)\": \"40.58%\",\"Status\": \"OK\"},\"DB5\": {\"Available\": \"22000kB\",\"Used\": \"9800.0\",\"Used(%)\": \"44.55%\",\"Status\": \"OK\"}},\"RAM_Tracking\": {\"a\": \"2\",\"b\": \"1088.0\",\"c\": \"32.1220703125\"},\"Database2_info\": {\"a\": \"4\",\"b\": \"4096.0\",\"c\": \"654.3212890625\"},\"Database3_info\": {\"a\": \"5\",\"b\": \"6696\",\"c\": \"9800\"},\"Database4_info\": {\"a\": \"6\",\"b\": \"128.0\",\"c\": \"21.086\"}}}"
| rex field=_raw mode=sed "s/(^.*\"Analysis Summary\"\: )//g" max_match=0
| rex field=_raw mode=sed "s/(,\"RAM_Tracking.*)//g" max_match=0
| rex field=_raw "\"(?<Database>[^\"]+)\": \{\"Available" max_match=0
| rex field=_raw ":\s?(?<Data>\{.+?})" max_match=0
| eval tmp = mvzip(Database,Data,"|")
| mvexpand tmp
| eval Database=mvindex(split(tmp,"|"),0), Data=mvindex(split(tmp,"|"),1)
| rex field=Data "{\"Available\"\:\s?\"(?<available>[^,]+)\",(\"Used\"\:\s?\"(?<used>[^,]+)\",)?\"Used\(%\)\"\:\s?\"(?<used_p>[^,]+)\",\"Status\"\:\s?\"(?<status>[^}]+)\"}"
| table Database available used used_p status I hope this will help you. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
... View more