Hello guys. This is my first post here to ask for help with extracting fields from a JSON object. Below is an example of the record: {"pod":"fmd9p","time":"2023-10-03T21:49:39.31255352Z", "source":"/var/log/containers/fmd9p_default.log","container_id":"1ae53e1be","log": "I1003 14:49:39.312453 test_main.cc:149] trace_id=\"8aeb0\" event=\"Worker.Finish\" program_run_sec=25.1377 status=\"OK\""} How can I extract trace_id, event, program_run_sec, and status from the log section automatically by setting up a sourcetype? Is it doable? Thanks for any help and advise

Good afternoon, Background: I found a configuration issue in one of our firewalls which I'm trying to remediate where an admin created a very broad access rule that has permitted traffic over a wide array of TCP/UDP ports. I started working to identify valid traffic which has used the rule, but a co-worker mentioned an easy win would be creating an ACL to block any ports which had not already been allowed through this very promiscuous rule. My problem is I know how to use the data model to identify TCP/UDP traffic which has been logged egressing through the rule, but how could I modify the search provided below so that I can get a result that displays which ports have NOT been logged? (Also bonus points if you can help me view numbers returned as ranges rather than individual numbers aka "5000-42000") Here is my current search:   | tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port FROM datamodel=Network_Traffic WHERE index="firewall" AND sourcetype="traffic" AND fw_rule="horrible_rule" BY All_Traffic.dest_port | rename All_Traffic.* AS *   Thank you in advance for any help that you may be able to provide!

Hello!  I'm trying to figure out a way to display a single value that calculates users who have disconnected divided by the time range based on the time picker.   The original number comes from the avg of total disconnects divided by the distinct user count.  I need to divide that number by the number of days which is based on the time picker.  The goal is to get the avg user disconnects per day based on time frame selected in time picker.  For example if there are 100 disconnects and 10 distinct users =10, then divided by the number of days selected in picker(7) should equal 1.42 disconnects per day.  I hope that makes sense.  Here is my search: Index=... Host=HostName  earliest=$time_tok.earliest$ latest=$time_tok.latest$ | stats count by "User ID" |search "User ID"=* |stats avg(count) That will only give me the Total disconnects divided by Distinct users, but I need that number divided by the time picker number of days and I can't get it to work.  Thank you!!!