Hi niranjan28, can you please describe your setup? Is there a Splunk Universal Forwarder sending data to your Indexer? If yes: Does it get listed in your Monitoring Console correctly? Kind regards, Michael ... View more

Hi Nadhiyaa, may be this helps you getting started: \}\s+(?<EXTRACTION1>\w+)|on_realm:\s+(?<EXTRACTION2>\d) It will extract the lines below your headline "organisations on_realm" This should also work for extractig all of the relevant data: ^\s+(? \w+):\D+}|(? \w+).\w+:\s+{\s+[-]|\w+:\s+\d+\s+\w+:\s+\d+\s+\w+:\s+\d+\s+(? \w+)|:\s+(? \d+)\s+ ... View more