sure @ITWhisperer This is how the JSON will look like. { "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12:source create": { "COMMENT": "None", "MODULE_DATA": "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12", "MOD_1": "source_inst", "MOD_2": "name_1", "MOD_3": "sub_inst", "MOD_4": "execute", "MOD_5": "None", "MOD_6": "XER1", "MOD_7": "None", "MOD_8": "source create", "MOD_9": "A1", "MOD_10": "None", "MOD_11": "None", "MOD_12": "None", "TIMESTAMP": "test_time" }, "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12:source change:param1": { "COMMENT": "None", "MODULE_DATA": "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12", "MOD_1": "source_inst", "MOD_2": "name_1", "MOD_3": "sub_inst", "MOD_4": "execute", "MOD_5": "12", "MOD_6": "XER1", "MOD_7": "None", "MOD_8": "source change", "MOD_9": "A1", "MOD_10": "param1", "MOD_11": "None", "MOD_12": "None", "TIMESTAMP": "test_time" }, "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12:source change:temo1aaa": { "COMMENT": "None", "MODULE_DATA": "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12", "MOD_1": "source_inst", "MOD_2": "name_1", "MOD_3": "sub_inst", "MOD_4": "execute", "MOD_5": "-1231321", "MOD_6": "XER1", "MOD_7": "None", "MOD_8": "source change", "MOD_9": "A1", "MOD_10": "temo1aaa", "MOD_11": "None", "MOD_12": "None", "TIMESTAMP": "test_time" } } This entire dictionary is considered as one single event in Splunk. I wanted to parse this dictionary and extract the second-level dictionary. i.e. this part alone(see below), as an individual Splunk event, so that I can use spath on it and make it in the form of a table. { "COMMENT": "None", "MODULE_DATA": "source_dict=source_name,source_dict=location,context=location_code,manage=1,function=1,data1=1,data2=12", "MOD_1": "source_inst", "MOD_2": "name_1", "MOD_3": "sub_inst", "MOD_4": "execute", "MOD_5": "None", "MOD_6": "XER1", "MOD_7": "None", "MOD_8": "source create", "MOD_9": "A1", "MOD_10": "None", "MOD_11": "None", "MOD_12": "None", "TIMESTAMP": "test_time" }
... View more