https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498037#M140153 <P>Will try this solution too!<BR /> Thanks</P> Sun, 17 May 2020 04:29:48 GMT glm_cybaze 2020-05-17T04:29:48Z https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498032#M140148 <P>Hi to all, I'm new to the splunk use and I have an issue with a software that write logs in a non standard way (of my fresh knowledge of splunk)<BR /> {<BR /><BR /> "name":"clientLogger",<BR /> "level":30,<BR /> "levelName":"info",<BR /> "msg":"[audio] iceServers",<BR /> "time":"2018-08-27T19:32:57.389Z",<BR /> "src":"xxxxxx",<BR /> "v":1,<BR /> "extraInfo":{<BR /><BR /> "sessionToken":"e7boenucj1pwkbfc",<BR /> "meetingId":"183f0bf3a0982a127bdb8161e0c44eb696b3e75c-1535398242909",<BR /> "requesterUserId":"w_klfavdlkumj8",<BR /> "fullname":"Ios",<BR /> "confname":"Demo Meeting",<BR /> "externUserID":"w_klfavdlkumj8"<BR /> },<BR /> "url":"xxxx",<BR /> "userAgent":"Mozilla/5.0",<BR /> "count":1<BR /> }<BR /> and in splunk the log are:<BR /> <IMG src="https://community.splunk.com/storage/temp/290749-inkedsplunk-04-li2.jpg" alt="alt text" /></P> <P>the only info I need are:<BR /> - time<BR /> - fullname<BR /> - confname</P> <P>But regex don't work and I don't recognize how to set only the proper field!<BR /> Some help or how to guide would be helpful!<BR /> Thanks in advance!</P> Wed, 30 Sep 2020 05:25:49 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498032#M140148 glm_cybaze 2020-09-30T05:25:49Z https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498033#M140149 <P><CODE>rex</CODE> should work. You didn't say what you tried, so we can't say what you might have done wrong. Try this:</P> <PRE><CODE>index=foo | rex "time\":\"(?&lt;time&gt;[^\"]+)" | rex "fullname\":\"(?&lt;fullname&gt;[^\"]+)" | rex "confname\":\"(?&lt;confname&gt;[^\"]+)" | table time, fullname, confname </CODE></PRE> Sat, 16 May 2020 16:59:41 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498033#M140149 richgalloway 2020-05-16T16:59:41Z https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498034#M140150 <P>Thanks, i used in search and work! created report and dashboard! now i try to replicate and add more complex analisys!</P> Sat, 16 May 2020 23:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498034#M140150 glm_cybaze 2020-05-16T23:27:01Z https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498035#M140151 <P>make props.conf</P> <PRE><CODE>SEDCMD-trim = s/.*?\]//g TRUNCATE = 0 INDEXED_EXTRACTION = none KV_MODE = json SHOULD_LINEMERGE = false </CODE></PRE> <P>You can see the fields <CODE>{}.time</CODE> , <CODE>extraInfo{}.fullname</CODE> and <CODE>extraInfo{}.confname</CODE></P> Sat, 16 May 2020 23:35:41 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498035#M140151 to4kawa 2020-05-16T23:35:41Z https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498036#M140152 <P>If your problem is resolved then please accept an answer to help future readers.</P> Sat, 16 May 2020 23:58:26 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498036#M140152 richgalloway 2020-05-16T23:58:26Z https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498037#M140153 <P>Will try this solution too!<BR /> Thanks</P> Sun, 17 May 2020 04:29:48 GMT https://community.splunk.com/t5/Splunk-Search/Question-about-not-standard-source-type/m-p/498037#M140153 glm_cybaze 2020-05-17T04:29:48Z