Hello, I'm designing some searches from O365 logs that have a complicated field called "Data", depending on the workload. I have 2 cases about this. In the first case, with the Workload of SecurityCompliance, the field Data comes like this: {"etype":"MaliciousUrl", "aii":"90224859-1bce-4d99-a94c-08d92a7c3325", "eid":"http://someURL.com/uiEWUIWER8", "tid":"672rerce-0ccd-4867-8090-e8bb889999ae0", "ts":"2021-06-09T02:50:41.0000000Z", "te":"2021-06-09T02:50:41.0000000Z", "trc":"xxxx@yyyy.com", "tdc":"1", "at":"2021-06-09T02:50:41.0000000Z", "dm":"Office ATP Safe Links", "ot":"Not Applicable", "od":"Not Applicable", "md":"2021-06-08T12:52:04.3356492Z", "lon":"MaliciousUrlClick"} And what I've tried for extracting the field "etype", for example, is: MY SEARCH | spath Data output=Data | table Data.etype MY SEARCH | spath Data | table Data{}.etype MY SEARCH | spath | table Data.etype And that kind of things... Didn't work And in the 2nd case, with the Workload=AirInvestigation. I have kind of the same data structure but with lots of lines, like 190 lines (impossible to copy here without messing it up), and with array fields, grouping items with [ ] instead of { } and that kind of things. If you could help me, I would thank you so much. Thanks for your assistance and have a nice day. Regards
... View more