Hi @Codie, If your _raw value looks like this: {
"@timestamp": "2024-09-05T10:59:34.826855417+10:00",
"appName": "TestApp",
"environment": "UAT",
"ivUser": "Ashish",
"level": "INFO",
"l...
See more...
Hi @Codie, If your _raw value looks like this: {
"@timestamp": "2024-09-05T10:59:34.826855417+10:00",
"appName": "TestApp",
"environment": "UAT",
"ivUser": "Ashish",
"level": "INFO",
"logger": "com.app.login",
"message": "New user state created - state_id: XXXX-YYYYYY, key_id: twoFactorAuth, key_value: {\"tamSessionIndex\":\"1d1ad722-XXXX-11ef-8a2b-005056b70cf5\",\"devicePrint\":\"DDDDDDDDDDD\",\"createdAt\":\"2099-09-05T00:59:34.734404799Z\",\"updatedAt\":\"2099-09-05T00:59:34.734404799Z\",\"clientSessionId\":\"ppppppppppppp\",\"sessionId\":\"WWWWWWWWW\",\"clientTransactionId\":\"8fd2353d-d609-XXXX-52i6-2e1dc12359m4\",\"transactionId\":\"9285-:f18c10db191:XXXXXXXX_TRX\",\"twoFaResult\":\"CHALLENGE\",\"newDevice\":true,\"newLocation\":false,\"overseas\":true} with TTL: 46825",
"parentId": "",
"spanId": "14223cXXXX6d63d5",
"tamSessionIndex": "1d1ad722-6b22-11ef-8a2b-XXXXXXX",
"thread": "https-jsse-nio-XXXX-exec-6",
"traceId": "66d90275ecc565aa61XXXXXXXX02f5815"
} You should have a message field with value: New user state created - state_id: XXXX-YYYYYY, key_id: twoFactorAuth, key_value: {"tamSessionIndex":"1d1ad722-XXXX-11ef-8a2b-005056b70cf5","devicePrint":"DDDDDDDDDDD","createdAt":"2099-09-05T00:59:34.734404799Z","updatedAt":"2099-09-05T00:59:34.734404799Z","clientSessionId":"ppppppppppppp","sessionId":"WWWWWWWWW","clientTransactionId":"8fd2353d-d609-XXXX-52i6-2e1dc12359m4","transactionId":"9285-:f18c10db191:XXXXXXXX_TRX","twoFaResult":"CHALLENGE","newDevice":true,"newLocation":false,"overseas":true} with TTL: 46825 The key_value data may vary, and you'll need to adjust the regular expression as needed, but as a starting point, you can extract key_value (as message_key_value) and clientTransactionId cleanly in SPL using: | rex field=message "key_value: (?<message_key_value>\{.*\}) with TTL:"
| spath input=message_key_value or | rex field=message "key_value: (?<message_key_value>\{.*\}) with TTL:"
| eval clientTransactionId=json_extract(json(message_key_value), "clientTransactionId") or | eval clientTransactionId=json_extract(json(replace(message, ".* key_value: (\{.*\}) with TTL: .*", "\\1")), "clientTransactionId") or other variations.