Hi to everyone, I have some trouble on setting a correct output for a search query. This is the start situation of the logs:  I've created a regex for a cleaner situation:   host="xxxxx" | rex "time\":\"(?<time>[^\"]+)" | rex "fullname\":\"(?<fullname>[^\"]+)" | rex "confname\":\"(?<confname>[^\"]+)" | table time, fullname, confname   So now i have this situation: It's clear but i need a situation where i can see the first and last time a user login (the system logs timestamp for users as long as the user is logged) something like: Time start | Time Stop | full name | confname Someone has a some suggestions? p.s. For helping others people in my situation, this is the logs of Big Blue Button software ... View more

Hi to all, I'm new to the splunk use and I have an issue with a software that write logs in a non standard way (of my fresh knowledge of splunk) { "name":"clientLogger", "level":30, "levelName":"info", "msg":"[audio] iceServers", "time":"2018-08-27T19:32:57.389Z", "src":"xxxxxx", "v":1, "extraInfo":{ "sessionToken":"e7boenucj1pwkbfc", "meetingId":"183f0bf3a0982a127bdb8161e0c44eb696b3e75c-1535398242909", "requesterUserId":"w_klfavdlkumj8", "fullname":"Ios", "confname":"Demo Meeting", "externUserID":"w_klfavdlkumj8" }, "url":"xxxx", "userAgent":"Mozilla/5.0", "count":1 } and in splunk the log are: the only info I need are: - time - fullname - confname But regex don't work and I don't recognize how to set only the proper field! Some help or how to guide would be helpful! Thanks in advance! ... View more