Hello, I want to extract a multivalued field in a nested JSON event A: [ { [-] file: x type:a } { [-] file: y type:b } ] Here in the above JSON, i want to extract the field named 'file' if and only if the type = 'a' and not 'b'. Inside props.conf, I specified a condition as mentioned : EVAL-myfile= if('type'=="a",'file', "") The problem here is, it will extract even the file where type='b' as they belong to the same event. Is there a way in props.conf to correctly evaluate the file attribute in this nested JSON ? Also I need to map this field for Splunk CIM data Model so I can not do this in the search query of dashboards. ... View more

Configuring emails to be sent from Splunk on a gmail ID works fine but I am facing an error while trying to configure splunk email settings using my yahoo account. The following steps were followed to achieve the same but to no avail: Outgoing Mail (SMTP) Server Server - smtp.mail.yahoo.com Port - 465 or 587 Requires SSL - Yes Requires TLS - Yes (if available) Requires authentication - Yes Additional details are available on this link When sending mails using the sendemail command, it gives an error saying MailBox Unavailable . I would appreciate help from anyone who can help me resolve this issue ... View more

I want to use group by aggregate function with a field called "field1". Some events in my data donot consists of this field. (i.e field1 = null). Now when i try to use group by with this field the events where field1=null are skipped and not shown in our output. How to use the group by function with fields where the coverage of the field is not 100%? ... View more