Hello, I'm designing some searches from O365 logs that have a complicated field called "Data", depending on the workload. I have 2 cases about this. In the first case,  with the Workload of SecurityCompliance, the field Data comes like this: {"etype":"MaliciousUrl", "aii":"90224859-1bce-4d99-a94c-08d92a7c3325", "eid":"http://someURL.com/uiEWUIWER8", "tid":"672rerce-0ccd-4867-8090-e8bb889999ae0", "ts":"2021-06-09T02:50:41.0000000Z", "te":"2021-06-09T02:50:41.0000000Z", "trc":"xxxx@yyyy.com", "tdc":"1", "at":"2021-06-09T02:50:41.0000000Z", "dm":"Office ATP Safe Links", "ot":"Not Applicable", "od":"Not Applicable", "md":"2021-06-08T12:52:04.3356492Z", "lon":"MaliciousUrlClick"} And what I've tried for extracting the field "etype", for example, is: MY SEARCH | spath Data output=Data | table Data.etype MY SEARCH | spath Data  | table Data{}.etype MY SEARCH | spath | table Data.etype And that kind of things... Didn't work And in the 2nd case, with the Workload=AirInvestigation. I have kind of the same data structure but with lots of lines, like 190 lines (impossible to copy here without messing it up), and with array fields, grouping items with [ ]  instead of { }  and that kind of things. If you could help me, I would thank you so much. Thanks for your assistance and have a nice day. Regards ... View more

We have an SFTP server with logs saved. We want to integrate those logs with Splunk, but we can't install an universal forwarder in that server. What options do we have? Push data from the server? Pull that logs from the HF? Thank you ... View more