Hi, thank you for replying back.   Settings: SmartStore: No Indexer clustering: No SF/RF Settings Splunk: SF=2, RF=3 Volume settings: Default settings Splunk Cloud: Yes Unfortunately, I am unable to run the "btool". However, I am able to run the following rest API query to gather the info from specific parameters for the mentioned index: | rest /services/data/indexes | join type=outer title [ | rest splunk_server=n00bserver /services/data/indexes-extended ] | search title=* | eval retentionInDays=frozenTimePeriodInSecs/86400 | table * What should be the parameters to look for?   Thanks again.    

There is so much "depends" here that we could open a nursing home.  Are you using SmartStore?  Are you using indexer clustering?  What are your SF/RF settings?  Are you using Volume settings for your indexers?  Are you Splunk Cloud?  What is the "btool" output for your indexes.conf from one of your indexers?

You are still throwing frowning faces Anyway, have you tried this index=activitylog_activityreceiver Environment="AWS-DEV6" MessageTemplate="Received Post Method for activity: {Activity}" | table Properties.Activity | spath input=Properties.Activity (There should be no need to run MessageTemplate="Received Post Method for activity: {Activity}" in a second search because it is at the same level as Environment="AWS-DEV6". Running a restriction in second search is less efficient.)

<>{"Level":"Information","MessageTemplate":"Received Post Method for activity: {Activity}","RenderedMessage":"Received Post Method for activity: \"{\\\"ClientId\\\":\\\"9115\\\",\\\"TenantCode\\\":\\\"Pcm.iLevelWebsite.Activities\\\",\\\"ActivityType\\\":\\\"SendTemplateSettings\\\",\\\"Source\\\":\\\"Web Entry Form\\\",\\\"SourcePath\\\":null,\\\"TenantContextId\\\":\\\"943fc4e0ab5f084274812d4d1ed045ef\\\",\\\"ActivityStatus\\\":\\\"COMPLETE\\\",\\\"OriginCreationTimestamp\\\":\\\"2023-09-27T12:46:04.7371426+00:00\\\",\\\"Data\\\":{\\\"traceId\\\":\\\"3d0174bb033061b6ea293b4b694b539e\\\",\\\"parentSpanId\\\":\\\"766ea5ba2e592c6f\\\",\\\"pcm.user_id\\\":2,\\\"pcm.field_changes\\\":[[[[[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]]]]]]}}\"","Properties":{"Activity":"{\"ClientId\" "9115\",\"TenantCode\" "Pcm.iLevelWebsite.Activities\",\"ActivityType\" "SendTemplateSettings\",\"Source\" "Web Entry Form\",\"SourcePath\":null,\"TenantContextId\" "943fc4e0ab5f084274812d4d1ed045ef\",\"ActivityStatus\" "COMPLETE\",\"OriginCreationTimestamp\" "2023-09-27T12:46:04.7371426+00:00\",\"Data\":{\"traceId\" "3d0174bb033061b6ea293b4b694b539e\",\"parentSpanId\" "766ea5ba2e592c6f\",\"pcm.user_id\":2,\"pcm.field_changes\":[[[[[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]]]]]]}}","SourceContext":"Pcm.ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController","ActionId":"512bd8da-6d33-43fa-bdea-98aec8557fbc","ActionName":"Pcm.ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController.Post (Pcm.ActivityLog.ActivityReceiver)","RequestId":"0HMTV8DM8SU7U:00000002","RequestPath":"/api/activitylog/v1/activities","ConnectionId":"0HMTV8DM8SU7U","TenantContextId":"943fc4e0ab5f084274812d4d1ed045ef","XRequestId":"5166ba8338c9671d9003c1d698d0e5aa","CurrentCorrelationId":"25a0fd9f-163d-493e-905d-6e296af0e776","ParentCorrelationId":"25a0fd9f-163d-493e-905d-6e296af0e776","OriginCorrelationId":"25a0fd9f-163d-493e-905d-6e296af0e776","Application":"ActivityLogActivityReceiver","Environment":"AWS-DEV6"}}</> As i mentioned this is one of the record lists that is generated by Splunk query  index=activitylog_activityreceiver Environment="AWS-DEV6" | search MessageTemplate="Received Post Method for activity: {Activity}" I want to extend this query to generate a table from Properties.Activity field of records by extracting there some keys for each record. if I try this query it will give a list of JSON with a single column, But i need some column extract from json index=activitylog_activityreceiver Environment="AWS-DEV6" | search MessageTemplate="Received Post Method for activity: {Activity}" | table Properties.Activity Hope i was able to convey what is needed

Pro tip: When posting complex source text, use the code block. (</> icon).  This way your post will not have so many frowning faces Can you confirm whether Splunk gives you a field like Properties.Activity? If it does, spath MessageTemplate would do nothing because MessageTemplate is already a top-level scalar.  If no, spath MessageTemplate would do nothing because the path MessageTemplate does not exist. I still assume that Splunk already gives you fields Properties.Activity and MessageTemplate because your index search already invokes a field named "Environment" which is at the same top level as MessageTemplate and Properties.  All you need to do to extract values of interest from Properties.Activity   index=activitylog_activityreceiver Environment="AWS-DEV6" MessageTemplate="Received Post Method for activity: {Activity}" | spath input=Properties.Activity   Your sample data should give ActivityStatus ActivityType ClientId Data.parentSpanId Data.pcm.user_id Data.traceId OriginCreationTimestamp Source SourcePath TenantCode TenantContextId COMPLETE SendTemplateSettings 9115 766ea5ba2e592c6f 2 3d0174bb033061b6ea293b4b694b539e 2023-09-27T12:46:04.7371426+00:00 Web Entry Form null Pcm.iLevelWebsite.Activities 943fc4e0ab5f084274812d4d1ed045ef This is the emulation for the data you show. (Attempt to correct those frowning faces rendered embedded Properties.Activity somewhat noncompliant, but Splunk dealt with fine.)   | makeresults | eval _raw = "{\"Level\":\"Information\",\"MessageTemplate\":\"Received Post Method for activity: {Activity}\",\"RenderedMessage\":\"Received Post Method for activity: \\\"{\\\\\\\"ClientId\\\\\\\":\\\\\\\"9115\\\\\\\",\\\\\\\"TenantCode\\\\\\\":\\\\\\\"Pcm.iLevelWebsite.Activities\\\\\\\",\\\\\\\"ActivityType\\\\\\\":\\\\\\\"SendTemplateSettings\\\\\\\",\\\\\\\"Source\\\\\\\":\\\\\\\"Web Entry Form\\\\\\\",\\\\\\\"SourcePath\\\\\\\":null,\\\\\\\"TenantContextId\\\\\\\":\\\\\\\"943fc4e0ab5f084274812d4d1ed045ef\\\\\\\",\\\\\\\"ActivityStatus\\\\\\\":\\\\\\\"COMPLETE\\\\\\\",\\\\\\\"OriginCreationTimestamp\\\\\\\":\\\\\\\"2023-09-27T12:46:04.7371426+00:00\\\\\\\",\\\\\\\"Data\\\\\\\":{\\\\\\\"traceId\\\\\\\":\\\\\\\"3d0174bb033061b6ea293b4b694b539e\\\\\\\",\\\\\\\"parentSpanId\\\\\\\":\\\\\\\"766ea5ba2e592c6f\\\\\\\",\\\\\\\"pcm.user_id\\\\\\\":2,\\\\\\\"pcm.field_changes\\\\\\\":[[[[[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]]]]]]}}\\\"\",\"Properties\":{\"Activity\":\"{\\\"ClientId\\\":\\\"9115\\\",\\\"TenantCode\\\":\\\"Pcm.iLevelWebsite.Activities\\\",\\\"ActivityType\\\":\\\"SendTemplateSettings\\\",\\\"Source\\\":\\\"Web Entry Form\\\",\\\"SourcePath\\\":null,\\\"TenantContextId\\\":\\\"943fc4e0ab5f084274812d4d1ed045ef\\\",\\\"ActivityStatus\\\":\\\"COMPLETE\\\",\\\"OriginCreationTimestamp\\\":\\\"2023-09-27T12:46:04.7371426+00:00\\\",\\\"Data\\\":{\\\"traceId\\\":\\\"3d0174bb033061b6ea293b4b694b539e\\\",\\\"parentSpanId\\\":\\\"766ea5ba2e592c6f\\\",\\\"pcm.user_id\\\":2,\\\"pcm.field_changes\\\":[[[[[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]],[[[]],[[]],[[]]]]]]]}}\",\"SourceContext\":\"Pcm.ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController\",\"ActionId\":\"512bd8da-6d33-43fa-bdea-98aec8557fbc\",\"ActionName\":\"Pcm.ActivityLog.ActivityReceiver.Controllers.v1.ActivitiesController.Post (Pcm.ActivityLog.ActivityReceiver)\",\"RequestId\":\"0HMTV8DM8SU7U:00000002\",\"RequestPath\":\"/api/activitylog/v1/activities\",\"ConnectionId\":\"0HMTV8DM8SU7U\",\"TenantContextId\":\"943fc4e0ab5f084274812d4d1ed045ef\",\"XRequestId\":\"5166ba8338c9671d9003c1d698d0e5aa\",\"CurrentCorrelationId\":\"25a0fd9f-163d-493e-905d-6e296af0e776\",\"ParentCorrelationId\":\"25a0fd9f-163d-493e-905d-6e296af0e776\",\"OriginCorrelationId\":\"25a0fd9f-163d-493e-905d-6e296af0e776\",\"Application\":\"ActivityLogActivityReceiver\",\"Environment\":\"AWS-DEV6\"}}" | spath ``` emulates index=activitylog_activityreceiver Environment="AWS-DEV6" MessageTemplate="Received Post Method for activity: {Activity}" ```   If by any chance Splunk hasn't extracted Properties.Activity for obscure reasons, you can add an spath to extract it, then filter for MessageTemplate, then extract from Properties.Activity.   index=activitylog_activityreceiver Environment="AWS-DEV6" | spath | search MessageTemplate="Received Post Method for activity: {Activity}" | spath input=Properties.Activity    

Thank you so much for the quick response. I'm a noob, and what I've done so far is take the Splunk learning courses available to me and watched YouTube videos as well, on creating alerts. I've read over the material available to me at work (playbooks on related alerts) and I've been reading up on the topic areas in AWS. I have also found a Splunk quick reference guide on how to create queries, but I must admit it's all new to me so I was reaching out for any advice or pro tips. I have a background in construction and from that experience I learned the value of simple tricks or tips other people have learned from having experience. Even just presenting me with the question of if I have a search yet, is valuable advice. I don't but that helps a lot. Thanks again

What have you tried so far?  How have those efforts not met expectations? An alert is just a scheduled search that takes action on what it finds.  Do you have a search, yet? As is often the case, a specific question is more likely get a response than a vague "I need help" message.