can't figure out how to indexing my data from zigbee2mgtt.  The logs are exported from Home assistance via syslog, as Json.  I have tried various settings in props on the forwarder. Current setting: [zigbee2mqtt] DATETIME_CONFIG = INDEXED_EXTRACTIONS = JSON category = structured NO_BINARY_CHECK = true TIMESTAMP_FIELDS = timestamp LINE_BREAKER = ([\r\n]+) disabled = false pulldown_type = true And on the search: Current: [zigbee2mqtt] KV_MODE = JSON And this is how the data appears in the log.  for me it looks like some kind mix, not just JSON data. Sep 20 19:13:19 linsrv 1 2023-09-20T17:13:19.941+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P001', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":7.82,"current":0,"device_temperature":25,"energy":7.82,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":3,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":234}'/n host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.log sourcetype = zigbee2mqtt   Sep 20 19:08:13 linsrv06.hemdata.hemdata.se 1 2023-09-20T17:08:13.988+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P002', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":2.58,"current":0,"device_temperature":23,"energy":2.58,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":0,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":229}'/n host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.log sourcetype = zigbee2mqtt   Sep 20 19:08:13 linsrv 1 2023-09-20T17:08:13.968+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P001', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":7.82,"current":0,"device_temperature":25,"energy":7.82,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":3,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":234}'/n host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.logsourcetype = zigbee2mqtt   Sep 20 19:08:06 linsrv 1 2023-09-20T17:08:06.199+02:00 localhost Zigbee2MQTT - - - MQTT publish: topic 'zigbee2mqtt/P002', payload '{"auto_off":null,"button_lock":null,"consumer_connected":true,"consumption":2.58,"current":0,"device_temperature":23,"energy":2.58,"led_disabled_night":null,"linkquality":255,"overload_protection":null,"power":0,"power_outage_count":0,"power_outage_memory":null,"state":"OFF","update":{"installed_version":41,"latest_version":32,"state":"idle"},"update_available":false,"voltage":229}'/n host = linsrv index = zigbee source = /disk1/syslog/in/linsrv/2023-09-20/messages.log sourcetype = zigbee2mqtt  

Greetings, I have a search that list every index and what sourcetypes are contained within it. |tstats values(sourcetype) where index=* by index What I like about it is that I can see each index and a list of all of the sourcetypes specific tot that index. I'm trying to see this same data format by with a column of the indexes and a column of all of the fields that index contains. I'm working on adding indexes to an app that already list what fields it needs but doesn't know what index they are associated to. So I have something like hash value fields md5 and MD5. They are different because of the source they come from but I need to find the index they live to add it. I also think it would just be useful for audit purposes so if expected fields can be confirmed at a glance. Please let me know if you have any questions. Thank you! Best, Brian

Hello All, Im having an issue where my license has stopped showing that any data is getting ingested. The data is still coming in and everything looks to be good,  but the license is showing that no data is getting ingested but it is. Does anyone have a solution or ever ran into this problem?    

I have the following search that works but I'm trying to display more information in the search results.  I have a watchlist lookup.  I use that to search notable events so that I can alert on a user or asset that is part of a new notable.    I'm trying to figure out how to display the new notable in the results.    | inputlookup user_watchlist | search _key=* | rename _key as user | table user asset | dedup user asset | eval flag="no" | join type=left user asset [ search index=notable | where isnotnull(src) | table src user _time | mvexpand src | mvexpand user | dedup src user | eval user=mvindex(split(user,"@"),0) | eval flag="yes" | rename src as asset | eval asset=lower(asset)] | where flag="yes"