diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
index 8778338..d3cde4d 100644
--- a/github_app_for_splunk/default/props.conf
+++ b/github_app_for_splunk/default/props.conf
@@ -142,6 +142,7 @@ EVAL-status_update_date = if(('action'!="" AND isnotnull('issue.updated_at')), '
 EVAL-status_current = if(action=="deleted", "deleted", 'issue.state')
 EVAL-submitter_user = if(isnotnull('issue.user.login'), 'issue.user.login', null())
 EVAL-submission_date = if(isnotnull('issue.created_at'), 'issue.created_at', null())
+EVAL-user = case(isnotnull(user),user,isnotnull(user1),user1,isnotnull(user2),user2,isnotnull(user3),user3,isnotnull(user4),user4,1==1,"unknown")
 EVAL-vendor_product = "github"
 EVAL-xref = if(isnotnull(affected_package_name), affected_package_name, alert_location_path)
 # Field Extractions
@@ -151,11 +152,11 @@ EXTRACT-commit_hash = | spath commits{} output=commits  | mvexpand commits  | re
 EXTRACT-release_tags = "ref":"refs\/tags\/(?<release_tags>[0-9|aA-zZ.]*)"
 EXTRACT-object = "repo":".+/{1}(?<object>[^"]+)",
 # Field Aliases
-FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user
+FIELDALIAS-dependabot = "alert.affected_package_name" AS affected_package_name "alert.external_identifier" AS cve "alert.external_reference" AS url "alert.most_recent_instance.location.path" AS alert_location_path "alert.rule.description" AS alert_description "alert.rule.security_severity_level" AS severity_level "alert.severity" AS severity eventtype AS vendor_product "repository.owner.login" AS user3
 FIELDALIAS-RepoAlias = "organization.login" ASNEW organization "repository.name" ASNEW repository_name
-FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user
-FIELDALIAS-user = actor AS user
-FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user "workflow_run.head_repository.full_name" ASNEW repository
+FIELDALIAS-secret = "alert.html_url" AS url "alert.secret_type" AS secret_type "repository.owner.login" AS user4
+FIELDALIAS-user = actor AS user1
+FIELDALIAS-workflow_changes = action ASNEW command actor_ip ASNEW src document_id ASNEW object_id pull_request_url ASNEW object_path "workflow_run.event" ASNEW command "workflow_run.head_branch" ASNEW branch "workflow_run.head_commit.author.name" ASNEW user2 "workflow_run.head_repository.full_name" ASNEW repository
 # Other
 REPORT-issueNumber = issueNumber