I am looking at filtering Kafka messages in Splunk. For that I need to be able to filter which messages show up in my search. However, since I am new to Splunk, I have no idea how to filter the way I want and 2 days of tutorials, reading and messing about haven't brought me any closer to the solution. My even data looks like this: 2020-04-01 13:59:55:803 INFO [messageCoordinator] Sent Kafka message { "body":{ "id":"messageID", "name":"messageName", "channels":"affectedChannels", "order":messageOrder, ... }, "headers":{ "deltaFields":[ "status", "otherString" ], "level":"messageLevel", "operationType":"UPDATE", "messageType":"messageType", "timestamp":1585746000000, "trackingId":6651814029 } } Now I need to filter based on headers.deltaFields, which is always present, always a string array but can have multiple values (up to 8 strings) in the array. I only want the event to show up in my search if certain strings are within the deltaFields. Any help would be highly appreciated. ... View more