It sounds like that each event is a summary report for a day. Your response worked but I am getting all the events of "all time" even if I have selected a timestamp of 24h. Do you mean that when your time selector is for last 24 hours, Splunk returns multiple daily summaries? If _time and the date key do not agree, and if your intention is to search for those summaries that fall within your search window, you can filter by that key, e.g., | spath path=employees
| eval date = json_array_to_mv(json_keys(employees))
| mvexpand date ``` skip this if each employees record has only one top level key ```
| addinfo
| eval date_start = strptime(date, "%F")
| where info_min_time <= date_start AND relative_time(date_start, "+1d") < info_max_time
| eval day_employees = json_extract(employees, date)
| eval employee_id = json_array_to_mv(json_keys(day_employees))
| mvexpand employee_id
| eval day_employees = json_extract(day_employees, employee_id)
| spath input=day_employees
... View more