Hi @bowesmana Thanks for the response. When adding the mvcount we are adding the criteria for the JSON array to be of length one. Which does not solve my query. I will explain my case better with the following example: Consider the following records: event event_details E1 [{"product_id":"P001","price":9.99,"payment_method":"Credit Card"},{"product_id":"P002","price":10,"payment_method":"Credit Card"}] E2 [{"product_id":"P001","price":9.99,"payment_method":"Credit Card"},{"product_id":"P002","price":10,"payment_method":"Paypal"}] E3 [{"product_id":"P002","price":19.99,"payment_method":"Paypal"}] E4 [{"product_id":"P001","price":9.99,"payment_method":"Paypal"},{"product_id":"P002","price":10,"payment_method":"Paypal"}] source="sample_Logs.csv" host="si-i-01ab4b9a34d1f49ec.prd-p-gfp5t.splunkcloud.com" sourcetype="csv" | tojson auto(*) | spath "event_details{}.payment_method" | where 'event_details{}.payment_method'="Paypal" When using the above query I got 3 (E2, E3, E4) events in the response as shown in the below image. I need to filter the events where all the purchases are done only by Paypal. So I am expecting the events E3 and E4 alone. Neglecting the event E2 since one of the purchases has been made by Credit Card.
... View more