Try this:
|makeresults | eval _raw="{
\"username\": \"nsroot\",
\"resourceName\": \"\",
\"ns\": [
{
\"network_interfaces\": [
{
\"port_name\": \"LA/1\"
},
{
\"port_name\": \"10/2\"
},
{
\"port_name\": \"10/1\"
}
],
\"ip_address\": \"172.16.30.131\",
\"instance_state\": \"Up\"
},
{
\"network_interfaces\": [
{
\"port_name\": \"10/2\"
},
{
\"port_name\": \"LA/1\"
},
{
\"port_name\": \"10/1\"
}
],
\"ip_address\": \"172.16.30.81\",
\"instance_state\": \"Up\"
},
{
\"network_interfaces\": [
{
\"port_name\": \"10/1\"
},
{
\"port_name\": \"10/16\"
},
{
\"port_name\": \"LA/8\"
},
{
\"port_name\": \"LA/1\"
},
{
\"port_name\": \"10/2\"
},
{
\"port_name\": \"10/15\"
}
],
\"ip_address\": \"172.16.30.181\",
\"instance_state\": \"Up\"
}
],
\"errorcode\": 0,
\"operation\": \"get\",
\"resourceType\": \"ns\",
\"tenant_name\": \"Owner\",
\"message\": \"Done\"
}"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution."
| rex max_match=0 "(?s)(?<ns>\"network_interfaces\":.*?\"instance_state\":\s*[^\r\n]+)"
| table ns
| mvexpand ns
| rename ns AS _raw
| eval _raw = "{" . _raw . "}"
| spath
| rename network_interfaces{}.port_name AS interfaces
| stats values(interfaces) BY ip_address instance_state
... View more