• Alex,

Here is one way to do it without using parse multi. The only gotcha is that you will have to create a parse statement for each set of arrays. For example, the parse statement below will parse on the arrays with 4,5 and 6 numerical fields.

| parse regex "riskTuples\":\":-(?<t1>\d+)-(?<t2>\d+)-(?<t3>\d+)-(?<t4>\d+)-(?<t5>\d+)-(?<t6>\d+)\",\"riskScores\":\":-(?<r1>\d+)-(?<r2>\d+)-(?<r3>\d+)-(?<r4>\d+)-(?<r5>\d+)-(?<r6>\d+)\"" nodrop

| parse regex "riskTuples\":\":-(?<t1>\d+)-(?<t2>\d+)-(?<t3>\d+)-(?<t4>\d+)-(?<t5>\d+)\",\"riskScores\":\":-(?<r1>\d+)-(?<r2>\d+)-(?<r3>\d+)-(?<r4>\d+)-(?<r5>\d+)\"" nodrop

| parse regex "riskTuples\":\":-(?<t1>\d+)-(?<t2>\d+)-(?<t3>\d+)-(?<t4>\d+)\",\"riskScores\":\":-(?<r1>\d+)-(?<r2>\d+)-(?<r3>\d+)-(?<r4>\d+)\"" nodrop

| concat("tuples = ", t1," ","score=", r1) as newfield1

| concat("tuples = ", t2," ","score=", r2) as newfield2

| concat("tuples = ", t3," ","score=", r3) as newfield3

| concat("tuples = ", t4," ","score=", r4) as newfield4

| concat("tuples = ", t5," ","score=", r5) as newfield5

| concat("tuples = ", t6," ","score=", r6) as newfield6

| fields newfield1,newfield2,newfield3, newfield4 ,newfield5,newfield6

• Alex,

Here is a better alternative. Using parse with the multi option.

| json field=_raw "waf.riskTuples" as t
| json field=_raw "waf.riskScores" as r
| parse regex field= t "-(?<t1>\d+)" multi
| parse regex field= r "-(?<r1>\d+)" multi
| concat("tuples = ", t1," ","score=", r1) as newfield
| fields newfield