Hi Splunkers.

I have two level of logs (NOTICE,ERROR), for Error logs(json), method_name and message is automatically getting extracted but not for NOTICE logs, So i have written my case statement like below in UI  and its working fine but im not sure how to deploy this in props.conf

index=index_name sourcetype=sourctype_name  log_level=NOTICE
|eval message =case(method_name='protopayload.table.create'=="table created",method_name='protopayload.table.delete'=="table deleted")

i dont want to write case statement for error logs as its already getting extracted fine.

to be precise:- i want my fields extraction to happen automatically for error logs (as its getting extracted automatically) and want my case statement work only for notice logs.

Please assist on this