Hi Roshanon, Check this one, The below search will help you to extract all the fields in the JSON, NOTE: This will work only all the fields are presents in the events. index=blah | table _raw | spath | rename GpsUpdateRequest.* as * GpsUpdateRequest.GPSUpdateGroup{}.* as * | eval first_Lat=mvindex(Lat,0) | eval first_Long=mvindex(Long,0) | eval end_lat=mvindex(Lat,mvcount(Lat)-1) | eval end_long=mvindex(Long,mvcount(Long)-1) | eval temp=mvzip(Elevation,mvzip(EventTimestamp,mvzip(Lat, mvzip(Long,mvzip(NodeSeq, Speed,"###"),"###"),"###"),"###"),"###") | mvexpand temp | rex field=temp "(?<Elevation>.*)###(?<EventTimestamp>.*)###(?<Lat>.*)###(?<Long>.*)###(?<NodeSeq>.*)###(?<Speed>.*)" | fields - _raw, temp I understand that you want to keep the first and last (lat and long) in each fields, if that is not the case remove the blow code, | eval first_Lat=mvindex(Lat,0) | eval first_Long=mvindex(Long,0) | eval end_lat=mvindex(Lat,mvcount(Lat)-1) | eval end_long=mvindex(Long,mvcount(Long)-1) Hope this will helps you. Thanks, V ... View more