Expanding nested JSON events into multiple events for search

I have nested json events indexed in Splunk. Here's an example of 2 (not confidence value differs): Event 1: { [-] email: hidden@hidden.com filter: confidence >= 60 id: 2087 integrations: [ [-] { [-] name: nitro product: nitro product_version: 9.3 } { [-] name: paloaltonetworks product: paloaltonetworks product_version: 3020 } ] last_intelligence: 2017-02-21T11:54:39.260329+00:00 title: hidden user_id: 8721 username: hidden@hidden.com } Raw E1: {"username": " hidden@hidden.com", "user_id": 8721, "title": "hidden", "integrations": [{"product": "nitro", "product_version": "9.3", "name": "nitro"}, {"product": "paloaltonetworks", "product_version": "3020", "name": "paloaltonetworks"}], "email": " hidden@hidden.com", "filter": "confidence >= 60", "id": 2087, "last_intelligence": "2017-02-21T11:54:39.260329+00:00"} Event 2: { [-] email: hidden@hidden.com filter: confidence >= 50 id: 2087 integrations: [ [-] { [-] name: nitro product: nitro product_version: 9.3 } { [-] name: paloaltonetworks product: paloaltonetworks product_version: 3020 } ] last_intelligence: 2017-02-21T11:54:39.260329+00:00 title: hidden user_id: 8721 username: hidden@hidden.com } Raw E2 {"username": " hidden@hidden.com", "user_id": 8721, "title": "hidden", "integrations": [{"product": "nitro", "product_version": "9.3", "name": "nitro"}, {"product": "paloaltonetworks", "product_version": "3020", "name": "paloaltonetworks"}], "email": " hidden@hidden.com", "filter": "confidence >= 50", "id": 2087, "last_intelligence": "2017-02-21T11:54:39.260329+00:00"} Fields are extracted into fields `integration{}.name`, `integration{}.product`, `integration{}.product_version`. I want to have each nested value for each represent a single event for each "integration{}.*". If we imagine this as events: Event 1A: { [-] email: hidden@hidden.com filter: confidence >= 60 id: 2087 integrations: [ [-] { [-] name: nitro product: nitro product_version: 9.3 } ] last_intelligence: 2017-02-21T11:54:39.260329+00:00 title: hidden user_id: 8721 username: hidden@hidden.com } Event 1B: { [-] email: hidden@hidden.com filter: confidence >= 60 id: 2087 integrations: [ [-] { [-] name: paloaltonetworks product: paloaltonetworks product_version: 3020 } ] last_intelligence: 2017-02-21T11:54:39.260329+00:00 title: hidden user_id: 8721 username: hidden@hidden.com } Event 2A: { [-] email: hidden@hidden.com filter: confidence >= 50 id: 2087 integrations: [ [-] { [-] name: nitro product: nitro product_version: 9.3 } ] last_intelligence: 2017-02-21T11:54:39.260329+00:00 title: hidden user_id: 8721 username: hidden@hidden.com } Event 2B: { [-] email: hidden@hidden.com filter: confidence >= 50 id: 2087 integrations: [ [-] { [-] name: paloaltonetworks product: paloaltonetworks product_version: 3020 } ] last_intelligence: 2017-02-21T11:54:39.260329+00:00 title: hidden user_id: 8721 username: hidden@hidden.com } I am experimenting with `spath` and `mvexpand` searches but I am getting some odd results and behaviour using examples from previous answer threads (lots of duplicated events, mvfields, etc). Ultimately I want to graph these events as tables like: username, user_id, id, email,title,name,product,product_version,last_intelligence,filter hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, nitro, nitro, 9.3, 2017-02-21T11:54:39.260329+00:00, confidence >= 60 hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, paloaltonetworks, paloaltonetworks, 3020, 2017-02-21T11:54:39.260329+00:00, confidence >= 60 hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, nitro, nitro, 9.3, 2017-02-21T11:54:39.260329+00:00, confidence >= 50 hidden@hidden.com, 8721, 2087, hidden@hidden.com, hidden, paloaltonetworks, paloaltonetworks, 3020, 2017-02-21T11:54:39.260329+00:00, confidence >= 50 Can anyone give me any pointers? Thanks!