Hi Splunkers. I have two level of logs (NOTICE,ERROR), for Error logs(json), method_name and message is automatically getting extracted but not for NOTICE logs, So i have written my case statement like below in UI  and its working fine but im not sure how to deploy this in props.conf   index=index_name sourcetype=sourctype_name log_level=NOTICE |eval message =case(method_name='protopayload.table.create'=="table created",method_name='protopayload.table.delete'=="table deleted") i dont want to write case statement for error logs as its already getting extracted fine. to be precise:- i want my fields extraction to happen automatically for error logs (as its getting extracted automatically) and want my case statement work only for notice logs.   Please assist on this         ... View more