The Format of Logs changed and the Alerts are not ... - Splunk Community

Monitoring Splunk

So the logs changed from typical jason to this ...

"message":"type=\"CLIENT_LOGIN\", realmId=\"xxx\", clientId=\"xxx\", userId=\"xxx"

so splunk extracts for type this "\"

Now the searches do not work anymore

you have to create a new search using a regex to extract fields:

| rex "type\=\\\"(?<type>[^\\]+)"

the problem is that the log contains backslash and this is a provlem because in the search you have to use the above command or the following:

| rex "type\=\\\\\"(?<type>[^\\]+)"

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...