I have the raw data below. How do I get the strings after the "action": and put all the results into a new field?
{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://first.com/roomV8.2/front.main/"}
{"dateTime":"2018-03-19T05:57:46.3002859Z","ID":"b3f7","account":"9002",xd":"859","action":"Exit"}
{"dateTime":"2018-03-19T05:57:47.1102859Z","ID":"cbbf","account":"f295",xd":"f89","tile":"HeroTile","action":"page:http://second.com/roomV8.2/front.main/"}
 
					
				
		
@ddrillic you can use the sed command to replace : by = :
| rex field=_raw mode=sed "s/:/=/g"
So, great, we can replace the : with = and then the fields should be automatically detected. 
This will work much better and faster then my previous regex.
Is there a way to convert the : to = in the log file?
Add this to your search
index=my index  |rex field=source "\"action\":\"(?<action>[^\"]+)" |  
If you don't want to get the action=Exit let me know
you can do the same for other fields constants like dateTime ID account
 
					
				
		
Did you miss a quote after "page:?
Can you show what's after page:? can action have multiple values separated by :?
If there is more data after page: then use this:
"action":"(?<test>\w+|.+)"
This will grab everything inside the quotes
Hi dwong2,
Try it in https://regex101.com/
"action":"(?<test>\w+|.+)"
Basically you want to tell regex to search for "Action" and group any of the results into a field we can call on later, which in this example I named "test".
If i wanted to search for this instead "action":"page: ?
