So we got Splunk installed and started indexing our logs before changes were put in place to better integrate with Splunk. How do you handle field extractions from the time before the update and the time after the update?
We went through the same issue when we upgraded ATG and our Tomcat servers, the logging format changed which broke some of our fields, especially the JSESSION field. I ended up modifying the regular expression in each field to account for the old logging style and the new logging style, I used a |
as an OR in the regex and put the new logging style first and the old logging style second to boost performance since I'll almost always be searching the new stuff first. I then tested the regex's performance and it was insignificant so I went this route and it's been working good for the past 6 months
Another approach is to create a new sourcetype and re-create your fields based on that new sourcetype. This will take longer and will require you to update the query in any dashboards, alerts, and anything else which used that field.
Did the sourcetype changed OR just the log format?
just the log format