Hi, I need some help. We have been using Splunk for MongoDB alert for a while, now the new MongoDB version we are upgrading to is changing the log format from text to JSON. I need to alter the alert in Splunk so that it will continue to work with the new JSON log format. Here is an example of a search query in one of the alert we have now: index=googlecloud* source="projects/dir1/dir2/mongodblogs" data.logName="projects/dir3/logs/mongodb" data.textPayload="* REPL *" NOT "catchup takeover" | rex field=data.textPayload "(?<sourceTimestamp>\d{4}-\d*-\d*T\d*:\d*:\d*.\d*)-\d*\s*(?<severity>\w*)\s*(?<component>\w*)\s*(?<context>\S*)\s*(?<message>.*)" | search component="REPL" message!="*took *ms" message!="warning: log line attempted * over max size*" NOT (severity="I" AND message="applied op: CRUD*" AND message!="*took *ms") | rename data.labels.compute.googleapis.com/resource_name as server | regex server="^preprod0[12]-.+-mongodb-server8*\d$" | sort sourceTimestamp data.insertId | table sourceTimestamp server severity component context message The content of the MongoDB log is under data.TextPayload, currently is being formatted using regex and split into 5 groups with labels and then we search from each group for the string or message that we want to be alerted on. The new JSON format log looks like this: {"t":{"$date":"2022-04-19T07:50:31.005-04:00"},"s":"I", "c":"REPL", "id":21340, "ctx":"RstlKillOpThread","msg":"State transition ops metrics","attr":{"metrics":{"lastStateTransition":"stepDown","userOpsKilled":0,"userOpsRunning":4}}} I need to split them into 7 groups, using comma as delimiter and then search from each group using the same search criteria. I have been trying and testing for 2 days, I'm new to Splunk and not very good in regex. Any help would be appreciated. Thanks ! Sally
... View more