Hi, New to splunk first time lister. Hoping for some help. I am trying to extract nested JSON data from a Widows Event log message in splunk. This works (up to a point): index="someindex" host="Ahost1" | spath input=Message Its great, except one the of the Json fields is called 'JSON_ArrayUsers' containing UPNs of users. Sometimes it contains a single user, sometimes more than one user. When more than one user Splunk calls the field this: JSON_ArrayUsers{} and when just a single user is listed it names the field this: JSON_ArrayUsers This makes searching the field difficult as its called two different things. Its there an easy way to stop the {} appearing - i already know its an array! Thanks, Pete
... View more