I am struggling with this too.
I did observe a few google results that indicated that errors are piped into winEventLogs, but that doesn't apply to me. And the particular objects I was instructed to monitor with inputs aren't JSON.
I looked at this, https://www.theinformationlab.co.uk/2016/02/05/tableau-server-needs-splunk-2/, but the tableau-folks had me go after their "node" logs that have ambiguous fields (to me, knowing nothing about tableau).
2 raw events I imagine the team wants to measure as a transaction, sample:
2019-05-07 10:56:44.398 -0700 (Folks Friendly Name,someUser,someRand,pupupuPuuu, heheheHee,1-couldBeToken) catalina-exec-29 vizportal: INFO com.tableausoftware.app.vizportal.LoggingInterceptor - Request completed: /v1/getSessionInfo with status 200
2019-05-07 10:56:44.388 -0700 (Folks Friendly Name,someUser,someRand,pupupuPuuu, heheheHee,1-couldBeToken) catalina-exec-29 vizportal: INFO com.tableausoftware.app.vizportal.LoggingInterceptor - Request received: /v1/getSessionInfo
I haven't had time to analyze their log4j properties, but so far I am doing this very brittle stick-poking to share examples for the Tableau team...
index="tableau_team" sourcetype="tableau:vizportal"
earliest=-1h
"Request "
| rex ":\s(?<log_level>[^\s][A-Z]{1,8})\s"
| rex "\((?<token_payload>[^\)]*)\)"
| eval fields=split(token_payload,",")
| eval tkn_1=mvindex(fields,0)
| eval tkn_2=mvindex(fields,1)
| eval tkn_3=mvindex(fields,2)
| eval tkn_4=mvindex(fields,3)
| eval tkn_5=mvindex(fields,4)
| eval tkn_6=mvindex(fields,5)
| rex "Request\s(?<request_payload>[^\$]*)"
| rex field=request_payload "(?<request_type>[^\s]\S+):"
| fillnull request_type value=req_start
| rex field=request_payload ":\s(?<request_ctx>[^\s]\S+)"
| rex field=request_payload "with\s(?<req_status_string>[^\s][\s\w]+)"
| rex field=req_status_string "status\s(?<req_status_code>[^\$][\d]{1,3})"
| table _time log_level token_payload tkn* request_payload request_type request_ctx req_status_string req_status_code _raw
| stats values(token_payload) values(req_status_code) range(_time) AS tx_duration by tkn_5 request_ctx
| chart max(tx_duration) by request_ctx
... View more