Note: The 10 result limit for map is a soft limit, you can go more with the maxsearches=X setting, but again, map is rarely useful. Glad you got a working solution.   ... View more

(First off, please post sample data as text block, not screenshot.)  You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand.  spath is very useful here.  In 9.0, Splunk added a new command fromjson which is more convenient for your case.  The following uses fromjson:   | fromjson _raw | mvexpand Policies | fromjson Policies | stats count by displayName result   Your mock data gives displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1 This is an emulation of your mock data you can play with and compare with real data   | makeresults | eval _raw = "{\"SigninId\": \"some-id\", \"Policies\": [ { \"id\": \"1234\", \"displayName\": \"Policy1\", \"result\": \"success\" }, { \"id\": \"4353\", \"displayName\": \"Policy2\", \"result\": \"failure\" }, { \"id\": \"0093\", \"displayName\": \"Policy3\", \"result\": \"notApplied\" } ]"     ... View more