I have a field that consists of data separated from a json data field using this search. index="test-99" sourcetype="csv" | eval AuditData_keys = json_keys(AuditData) ths works perfectly and creates the field called AuditData_keys The data in field AuditData_keys in unique based on the values in a field called operations. There are 39 unique values, each with its own unique set of fields. I'm trying to export each value of the operations field into distinct fields per value. My initial idea was to have individual eventtypes for each operations value. The issue I'm having is what is the best way to extract the fields as they contain similar fields as well as additional fields for each operation value. I came up with this search to create a value for each value in the operations field and its relevant data fields. index="test-99" sourcetype="csv" | eval AuditData_keys = json_keys(AuditData)| table Operations AuditData_keys | dedup AuditData_keys| outputcsv AuditData_extracted_fields_unique.csv Here is a sample of one operation value and its fields. Operation value Values(fields) from the AuditData_key UserLoginFailed ["CreationTime","Id","Operation","OrganizationId","RecordType","ResultStatus","UserKey","UserType","Version","Workload","ClientIP","ObjectId","UserId","AzureActiveDirectoryEventType","ExtendedProperties","ModifiedProperties","Actor","ActorContextId","ActorIpAddress","InterSystemsId","IntraSystemId","SupportTicketId","Target","TargetContextId","ApplicationId","DeviceProperties","ErrorNumber","LogonError"] Short of manually typing the fields for each operation value and using the strings command, there has to be a more efficient way. This is o365 audit data extracted with powershell as a csv file that has embedded json data. Thanks in advance Robert
... View more