Did the sourcetype changed OR just the log format?
We went through the same issue when we upgraded ATG and our Tomcat servers, the logging format changed which broke some of our fields, especially the JSESSION field. I ended up modifying the regular expression in each field to account for the old logging style and the new logging style, I used a
| as an OR in the regex and put the new logging style first and the old logging style second to boost performance since I'll almost always be searching the new stuff first. I then tested the regex's performance and it was insignificant so I went this route and it's been working good for the past 6 months
Another approach is to create a new sourcetype and re-create your fields based on that new sourcetype. This will take longer and will require you to update the query in any dashboards, alerts, and anything else which used that field.