I'm not a big fan of (mis)using actual data as JSON key.  If you have any influence over your developers, ask them to design a proper data structure. To rescue data in its current state, Splunk will need to construct a proper structure.  For this purpose,  json_set that Splunk added in 8.0 comes handy.  Like this: (Because you didn't enclose sample data, I just assume that lint-info is a top key in your raw data.)   | spath path=lint-info.-Wunused-but-set-variable{} | spath path=lint-info.-Wunused-genvar{} | mvexpand lint-info.-Wunused-but-set-variable{} | mvexpand lint-info.-Wunused-genvar{} | rename lint-info.*{} AS * | foreach -Wunused-* [eval -Wunused = mvappend('-Wunused', json_set('<<FIELD>>', "type", "<<FIELD>>"))] | mvexpand -Wunused | spath input=-Wunused | fields - -Wunused-* _*   This is the result from your sample: -Wunused location.column location.filename location.line source type warning {"location":{"column":58,"filename":"ab1","line":237},"source":"logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out","warning":"variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used","type":"-Wunused-but-set-variable"} 58 ab1 237 logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out -Wunused-but-set-variable variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used {"location":{"column":11,"filename":"ab3","line":328},"source":"genvar nn,oo;","warning":"unused genvar 'oo'","type":"-Wunused-genvar"} 11 ab3 328 genvar nn,oo; -Wunused-genvar unused genvar 'oo' {"location":{"column":58,"filename":"ab2","line":254},"source":"logic msgg_avail_cnt_err; // Available Counter update error detected","warning":"variable 'msgg_avail_cnt_err' is assigned but its value is never used","type":"-Wunused-but-set-variable"} 58 ab2 254 logic msgg_avail_cnt_err; // Available Counter update error detected -Wunused-but-set-variable variable 'msgg_avail_cnt_err' is assigned but its value is never used {"location":{"column":11,"filename":"ab3","line":328},"source":"genvar nn,oo;","warning":"unused genvar 'oo'","type":"-Wunused-genvar"} 11 ab3 328 genvar nn,oo; -Wunused-genvar unused genvar 'oo' Here is data emulation that you can play with and compare with real data   | makeresults | eval _raw = "{\"lint-info\": { \"-Wunused-but-set-variable\": [ { \"location\": { \"column\": 58, \"filename\": \"ab1\", \"line\": 237 }, \"source\": \"logic [MSGG_RX_CNT-1:0][MSGG_RX_CNT_MAXWIDTH+2:0] msgg_max_unrsrvd_temp; // temp value including carry out\", \"warning\": \"variable 'msgg_max_unrsrvd_temp' is assigned but its value is never used\" }, { \"location\": { \"column\": 58, \"filename\": \"ab2\", \"line\": 254 }, \"source\": \"logic msgg_avail_cnt_err; // Available Counter update error detected\", \"warning\": \"variable 'msgg_avail_cnt_err' is assigned but its value is never used\" } ], \"-Wunused-genvar\": [ { \"location\": { \"column\": 11, \"filename\": \"ab3\", \"line\": 328 }, \"source\": \"genvar nn,oo;\", \"warning\": \"unused genvar 'oo'\" } ], \"total\": 3, \"types\": [ \"-Wunused-but-set-variable\", \"-Wunused-genvar\" ] }}" ``` data emulation above ```   Hope this helps.

i have my json data where sometimes we are unable to see the status: closed field in some of the events as i want to write a regex to bring this in event  state: { [-]      alert_id: orca-8452634      closed_reason: null      closed_time: null      created_at: 2023-07-06T11:41:18+00:00      high_since: null      in_verification: null      is_new_score: null      last_seen: 2024-02-04T11:38:11+00:00      last_updated: 2024-02-05T13:45:45+00:00      low_since: 2024-02-05T13:45:45+00:00      orca_score: 7      risk_level: high      rule_source: null      score: 2      severity: imminent compromise      status: closed      status_time: 2024-02-05T13:45:45+00:00      verification_status: null   Can anyone help us to close this 

Sourcetypes should match between inputs.conf and props.conf, except when props are specified for hosts or sources rather than sourcetypes.  The indexes.conf file does not use sourcetypes. The regex needs an escape character before the /.  Also, the expression has two capture groups so make sure $1 is the group you expect.  Or use a single group. Hostname>(?<hostname>.*?)<\/Hostname

 I still have on last small issue: so what the spl does, if values are missing it adds true to the last ones not the correct ones : Example :  -config Conf-console -ntpsync no --check_core no shoul give : Flag : config Value: Conf Flag : console Value: true Flag : ntpsync Value: no Flag : check_core Value: no but it extract all the values and then add true to the last values so it gives this which is incorrect: Flag : config Value: Conf Flag : console Value: no Flag : ntpsync Value: no Flag : check_core Value: true so I think if you can show me a way to move those without values to the last so they will be matched with the true values, it would be really helpful

In my indexes.conf there isn't a stanza specified for source type the lines i have are [example] coldPath coldToFrozenDir enableDataIntergrity homePath thawedpath   The index in the props.conf that works is   [source::C:\\examplelogs*] EXTRACT-logs = Hostname>(?<hostname>(.*?))</Hostname

Hello, everyone In case you missed it, there is a Smart Agent article in the Knowledge Base: Just one Smart Agent: unlimited agent management control  The included 9-minute video includes an overview of Smart Agent and it’s real-world benefits, followed by a demonstration of its capabilities right in the UI. Along with the video, the article lists key points discussed accompanied by timestamps so you can find them in the video. Do let me know if there's anything I can do to make this content more usable for you. Thanks! Claudia

It works when I use below query, ....| spath path=lint-info.-Wunused-but-set-variable{} output=members | stats count by members InstanceName   But I don't know the values of Type. If there are more than 1 type, query should automatically break into individual events. 

The where command does not support the IN operator.  It does support the in function, which has a different syntax. The point of my original reply to say that extra code to force a set of values into a comma-separated list for the benefit of the IN operator is wasted effort.  The interpreter is just going to convert that comma-separated list into a series of OR operators so you might well just take the raw result from the subsearch (without usingIN).

Noted on that, but, this throws me an Error in 'where' command: The expression is malformed. Expected ).  index="main" label=x source="C:\\Users\\me\\Documents\\test22.csv" | eval hm = replace(hostname,",","") | where hm IN ([search index=main label=y userid=tom | fields associateddev | eval list_value = replace(associateddev,"{'","") | eval list_value = replace(list_value,"'}","") | eval list_value = split(list_value,"', '") | mvexpand list_value | stats values(list_value) as search]) but this works assuming i dont do any operations to hostname column. is it possible to insert some eval on hostname before doing the IN operation?  index="main" label=x source="C:\\Users\\me\\Documents\\test22.csv" hostname IN ([search index=main label=y userid=tom | fields associateddev | eval list_value = replace(associateddev,"{'","") | eval list_value = replace(list_value,"'}","") | eval list_value = split(list_value,"', '") | mvexpand list_value | stats values(list_value) as search])

Hi @Ajit.kunjir, Thanks for asking your question on the Community. Please check out this AppD Docs page to see if it helps. https://docs.appdynamics.com/appd/22.x/latest/en/database-visibility/add-database-collectors/configure-oracle-collectors

Hi @Jahnavi.Vangari, Thanks for asking your question on the Community. I found this Docs page that might be helpful https://docs.appdynamics.com/appd/22.x/latest/en/appdynamics-essentials/alert-and-respond/actions/predefined-templating-variables Be sure to check out the left side navigation for similar articles that may help.