A pointer: When anonymizing structured data, make sure the structure itself is compliant.  I think you mean your event looks like {"target": [ { "alternateId": "application1", "detailEntry": { }, "displayName": "OpenID Connect Client", "id": "asdfasdf", "type": "AppInstance" }, { "alternateId": "unknown", "detailEntry": "null", "displayName": "Unregistered Device - Default", "id": "adsfasdf", "type": "Rule" } ] } You can use mvexpand before filter or use mvfilter.  Using mvexpand is more traditional: | spath path=target{} | mvexpand target{} | where json_extract('target{}', "type") == "Rule" | eval displayName = json_extract(target, "displayName") Use of JSON functions above assumes that you use Splunk 8 or later, but the mvexpand method can still work without JSON functions; you just use another round of spath. Using mvfilter, on the other hand, requires JSON functions first introduced in Splunk 8. | spath path=target{} | eval target = mvfilter(json_extract('target{}', "type") == "Rule") | eval displayName = json_extract(target, "displayName") Hope this helps.  ... View more