I am trying to find frequently used search filters from my application log. I have written a below query to extract a json from the log and store it in the search_filter variable index="*" "Searching records" | rex field=_raw "(?P<search_filter>\{.*\})" | eval search_filter=replace(search_filter,"\\\\\"","\"") The resulting json in the search_filter variable for one event looks like below { "pageSize": 0, "offset": 0, "criteria":[ { "field": "status", "operator": "equalsIgnoreCase", "values":["REPROCESS"] }, { "field": "id", "operator": "equals", "values":["352353"] }] } Now I want to convert this json in the below format and then finally sort this array and list it in the table ordered by count. [status##equalsIgnoreCase,id##equals] I tried doing the below  index="*" "Searching records" | rex field=_raw "(?P<search_filter>\{.*\})" | eval search_filter=replace(search_filter,"\\\\\"","\"") | eval cfo=json_extract(search_filter, "criteria{}.field", "criteria{}.operator") | eval cf=json_extract(cfo,"{0}") | eval co=json_extract(cfo,"{1}") | eval cfos=mvzip(cf, co, "##") This results in cfos are like this which is not what I want. I am not able to use mvzip on the json array. ["status","id"]##["equalsIgnoreCase","equals"]  Any suggestions on how to go about it or is there a better way in finding  frequently used filters in my scenario. ... View more