Another unique field to extract is the Operation performed: \:\s+[A-Z]+\s+(?<Operation>[*\s]+) You can test on a report with: | rex field=_raw "\:\s+[A-Z]+\s+(?<Operation>[*\s]+)" You can use the operation event results to narrow down on the type events you want to search. For the event message portion, you can use: (?ms)([A-Z].*\s-\s+(?<Message>.*) You can test on a report with: | rex field=_raw "(?ms)([A-Z].*\s-\s+(?<Message>.*)" (?ms) is used to display multiple lines of a message. Example would be Java messages.   Thanks, Joe ... View more

From what I see, the vizportal_node-0.log seems to be systems/audit log containing events needed to determine event failures. The log events are not easily structured for Splunk to easily extract fields based on the display of the event information. There are lots of results within the log file without any reference to the meaning of the result. You will need to build a lot of rex commands to extract fields correctly. For example, you can test a failed login attempt and then read the log file. If you already have the vizportal_node-0.log events forwarded to Splunk, you can run a search within Splunk for your failed login attempt using _raw=ERROR. The log level of an event seems to be unique and can be extracted to a field. I was able to save the below rex command for determining the log level of Tableau logs. (?<log_level>ERROR|INFO|EMERG|ALERT|CRIT|WARN|NOTICE|DEBUG) If you want to test the above rex command on a report, you can use: | rex field=_raw "(?<log_level>ERROR|INFO|EMERG|ALERT|CRIT|WARN|NOTICE|DEBUG)" Based on the report you are building, you may need to build custom rex commands to meet your needs for the report.   Thanks, Joe ... View more

Thank you. Short and nice. 🙂 ... View more

Thank you @ITWhisperer . Works great when all the  events have same fields attempting to extract from the raw data. The rex command is limited when extracting and displaying multiple fields not found on events. For example, the below will fill data in the user_id field for all events       | rex "user_id:\[\d+\]\s\"(?<user_id>[^\"]+)        But when I have an event that displays data not found on another event, the fields would only be extracted for certain event. Below is example: Event 1 for _raw field (Notice the data for option): session_id:[3] "33445" user_id:[4] "peter1234" option:[4] "67" NAME:[10] "Peter" Car:[3] "Pinto" Event 2 for _raw field (option is not listed): session_id:[3] "33445" user_id:[11] "peter1234" NAME:[5] "Peter" Car:[9] "Gremlin" Event 3 for _raw field (option and NAME is not listed): session_id:[3] "33445" user_id:[11] "peter1234" Car:[9] "Gremlin" When I run the rex example to only extract user_id and NAME, data would only be filled for records similar to Event 1. Data similar to Event 2  or Event 3 would not display data even though user_id exists with the raw data for events. After further testing, I noticed extracted fields will only display on all events if the same extracted field displays in all events within the raw data.        | rex "user_id:\[\d+\]\s\"(?<user_id>[^\"]+).+NAME:\[\d+\]\s\"(?<NAME>[^\"]+)"     Is there a way to run the rex command to display extracted data on all events even if certain events have no data? Based on the above example, I would want event 1 to display the user_id data and NAME data event 2 to display user_id data and NAME data event 3 to display  user_id data. Also, if I am extracting data for example OS$USERID:[11] "peter1234", would the rex command be | rex "OS.USERID:\[\d+\]\s\"(?<os_userid>[^\"]+) Joe ... View more