So the logs changed from typical jason to this ...
"message":"type=\"CLIENT_LOGIN\", realmId=\"xxx\", clientId=\"xxx\", userId=\"xxx"
so splunk extracts for type this "\"
Now the searches do not work anymore
Hi @n3wbi3,
you have to create a new search using a regex to extract fields:
| rex "type\=\\\"(?<type>[^\\]+)"
the problem is that the log contains backslash and this is a provlem because in the search you have to use the above command or the following:
| rex "type\=\\\\\"(?<type>[^\\]+)"
Ciao.
Giuseppe