Okay, I misunderstood.  I think you are asking for something like this? Index Packet Bytes 0 1 10 1 4 40 2 2 20   |makeresults | eval json="{\"Packets\":{\"0\": 4, \"1\": 3}, \"Bytes\":{\"0\":8, \"1\":42} }" | spath input=json | table Packets.* Bytes.* | eval indexes=null(), packets=null(), bytes=null() | foreach Packets.* [ eval indexes=mvappend(indexes,"<<MATCHSEG1>>"), packets=mvappend(packets,'<<FIELD>>') ] | foreach Bytes.* [ eval bytes=mvappend(bytes,'<<FIELD>>') ] | eval i_p_b=mvzip(mvzip(indexes, packets), bytes) | fields i_p_b | mvexpand i_p_b | rex field=i_p_b "^(?<index>\d+),(?<packet>\d+),(?<bytes>\d+)"     ... View more

Hi, would something like this work for you? |makeresults | eval json="{\"Packets\":{\"0\": 4, \"1\": 3}, \"Bytes\":{\"0\":8, \"1\":42} }" | spath input=json | table Packets.* Bytes.* Basically I take the string, parse it to json, then I can use dot notation and wildcards to extract the key names to be column names.   ... View more

Hi, you could use something like spath to process the json and then pick the logs array out of the resultant object.  Maybe something like this: |makeresults | eval json="{\"name\":\"json_name\", \"logs\":[{\"name\":\"log1\"}, { \"name\":\"log2\"}]}", output_log_array=spath(json,"logs{}"), output_log_names=spath(json,"logs{}.name") I added a second example with output_log_names to show how you would extract particular fields within the array json into their own multivalued field.        ... View more

Hi, I think you want to use the rex command here.  In my example below, I am taking the leading four octets of src and dst and putting them into new fields named src_after and dst_after.  Everything after the first four octets is ignored.  All of the stuff in |makeresults and |spath is just for me to build up some fake data using what you provided.  The part you want to look at starts with the |rex steps.  I hope this helps. | makeresults | eval json="{ \"src\":\"10.0.1.5:50492:X2\", \"dst\":\"8.8.8.8:53:X1\" }" | append [| makeresults | eval json="{ \"src\":\"192.168.1.100:37016:X0\", \"dst\":\"54.81.233.206:443:X1\" }"] | append [| makeresults | eval json="{ \"src\":\"192.168.1.100:38376:X0\", \"dst\":\"104.244.42.130:443:X1\" }"] | append [| makeresults | eval json="{ \"src\":\"192.168.1.100:38611:X0\", \"dst\":\"172.217.132.170:443:X1\" }"] | spath input=json | rex field=src "^(?<src_after>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=dst "^(?<dst_after>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | table src src_after dst dst_after     ... View more

My bad.  This is a bit cleaner.  Clearly I'm up too late and forgot about mvjoin | makeresults | eval json="{ \"stuff\":[{\"name\": \"name0\", \"value\": \"value0\"},{\"name\": \"name1\", \"value\": \"value1\"}] }" | spath input=json | rename "stuff{}.name" as names, "stuff{}.value" as values, | eval range=mvrange(0,mvcount(names)), stuff=mvmap(range,"\"".mvindex(names,range)."\":\"".mvindex(values,range)."\""), stuff=mvjoin(stuff,",") | eval stuff="{".stuff."}" | table json stuff ... View more

Hi, I think something like this will work | makeresults | eval json="{ \"stuff\":[{\"name\": \"name0\", \"value\": \"value0\"},{\"name\": \"name1\", \"value\": \"value1\"}] }" | spath input=json | rename "stuff{}.name" as names, "stuff{}.value" as values, | eval range=mvrange(0,mvcount(names)), stuff=mvmap(range,"\"".mvindex(names,range)."\":\"".mvindex(values,range)."\"") | nomv stuff | eval stuff="{".replace(stuff,"\n",",")."}" | table json stuff       ... View more