Thank you for illustrating input in text format.  But please make sure JSON is conformant when doing mockups. Speaking of JSON, I always say do not treat structured data as text.  regex is not a suitable tool for structured data in most cases.  Splunk's robust, QA tested tool will save you countless hours down the road.  Traditional tool for this is spath.  Since 9.0, Splunk also added fromjson that can simplify this work.  I'll begin with the simpler one.  You didn't say which field the JSON is in, so I'll assume that's _raw in the following.   | fromjson _raw | mvexpand Field1 | fromjson Field1    This gives you Field1 id name occupation {"id":1234,"name":"John"} 1234 John   {"id":5678,"name":"Mary","occupation":{"title":"lawyer","employer":"law firm"}} 5678 Mary {"title":"lawyer","employer":"law firm"} The spath alternative is - again assuming JSON is in _raw   | spath path=Field1{} | mvexpand Field1{} | spath input=Field1{}   This gives Field1{} id name occupation.employer occupation.title { "id": 1234, "name": "John" } 1234 John     { "id": 5678, "name": "Mary", "occupation": { "title": "lawyer", "employer": "law firm" } } 5678 Mary law firm lawyer There  can be many variants in between.  But the essence is to extract elements of the JSON array, then handle the array as a multivalue field as a whole.  If, for example, there are too many elements and you worry about RAM, you can use mvfilter to get data about Mary as you are not interested in other entries:   | fromjson _raw | eval of_interest = mvfilter(json_extract(Field1, "name") == "Mary")   (Note you need 8.0 to use json_extract.) You get Field1 of_interest {"id":1234,"name":"John"} {"id":5678,"name":"Mary","occupation":{"title":"lawyer","employer":"law firm"}} {"id":5678,"name":"Mary","occupation":{"title":"lawyer","employer":"law firm"}} Hope this helps. By the way, the conformant form of your mock data is   { "Field1" : [ { "id": 1234, "name": "John" }, { "id": 5678, "name": "Mary", "occupation": { "title": "lawyer", "employer": "law firm" } } ] }   You can play with the following emulation and compare with real data   | makeresults | eval _raw = "{ \"Field1\" : [ { \"id\": 1234, \"name\": \"John\" }, { \"id\": 5678, \"name\": \"Mary\", \"occupation\": { \"title\": \"lawyer\", \"employer\": \"law firm\" } } ] }" ``` data emulation above ```    

Yeah I did that and it works for them. In the logs, I see the following error: 03-06-2024 05:05:01.427 -0800 ERROR ScriptRunner [1509543 AlertNotifierWorker-0] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/search/bin/sendemail.py "results_link=https://splunksrver:8000/app/search/@go?sid=scheduler_bHVkQGVjbi5vZW0uZG9lLmdvdg__search__RMD500f838a99e0e9d56_at_1709730300_4407" "ssname=Test Windows Encode" "graceful=True" "trigger_time=1709730300" results_file="/opt/splunk/var/run/splunk/dispatch/scheduler_bHVkQGVjbi5vZW0uZG9lLmdvdg__search__RMD500f838a99e0e9d56_at_1709730300_4407/results.csv.gz" "is_stream_malert=False"':  _csv.Error: line contains NUL

Thanks for the response! With the test query, I'm seeing both sources. For further research I counted all the field_AB by sourcetype and found that there are significantly more source_2 than source_1, not sure if that affects anything though. sourcetype (last 5 min) source_1 -> count 147 source_2 -> count 66359 In my initial query, I do get both event from both sources. It's not populating the fields in each event the way I want it though. Inital Query Results field_D field_AB field_C field_E DeviceType UniqueID   Up DeviceType UniqueID   Down   UniqueID Data_2     UniqueID Data_1     Expected Query Results field_D field_AB field_C field_E DeviceType UniqueID Data_1 Up DeviceType UniqueID Data_2 Down DeviceType UniqueID Data_2 Down DeviceType UniqueID Data_1 Down  

Hi @mappu, check with the following search: index=your_index | eval diff=_indextime-_time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:$S") | table _time indextime diff if you have high differences between _time and indextime, you have a queue issue, if not the problem is another. About timestamp, check if in the loosing logs you have the timestamp definition or not, but using the formats you described, you souldn't have this issue. Ciao. Giuseppe

Hello @yuanliu, I tried your suggestion and modified column name "Grades" into "Grade", and it worked fine. I accepted your solution So, we had to split the data manually.      Note that there is still an issue with snap-to is shifting the data as discussed in my other post. I appreciate your assistance. Thank you

@shakti  You can also refer to some of Simple XML JavaScript extension examples on Splunk Dashboard Examples app on Splunkbase ( https://splunkbase.splunk.com/app/1603/  ) Or the Splunk Web Framework tutorial: http://dev.splunk.com/view/webframework-tutorials/SP-CAAAERB  https://answers.splunk.com/answers/579537/how-to-use-javascript-code-in-splunk-cloud-dashboa.html  https://community.splunk.com/t5/Dashboards-Visualizations/Creating-an-quot-About-this-dashboard-quot-popup-modal-view-when/m-p/426913  "Happy Splunking!!!"