Process a line with multiple Services\Status \n

CTull · ‎29 Sep 2025

I have something similar to pull in for a health check on services.

Example JSON.

{
"event.type": "LOG",
"content": "Last Modified at: ,2025-08-29 08:25:03.747519\nservice1,Good\nservice2,Good\nservice3,Good\nservice4,Bad",
"status": "NONE",
"timestamp": "1759152303747",
"dt.entity.host": "HOST-123456",
"dt.host_group.id": "DEV",
"log.source": "D:\\WebApplications\\service\\HealthCheck\\Data.txt",
"loglevel": "NONE",
"dt.cost.costcenter": "Services",
"dt.entity.host_group": "HOST_GROUP-123456789",
"dt.openpipeline.pipelines": "logs:default",
"dt.openpipeline.source": "oneagent"

Processor Def:
PARSE (content, "LD 'at: ,' TIMESTAMP('yyyy-MM-dd HH:mm:ss.f'):last_time_modified '\'")
| PARSE(content, "LD TIMESTAMP STRING DATA STRING:Service_Status")

Any ideas how I can get these services\status into a variable to be able to alert and generate the title or description with the variables if one of the 4 services\status is BAD?

Also with the new logging in the Gen3 view how do we do event alerting etc. without using classic log process?

CTull · ‎29 Sep 2025

Yes, I can make an event extraction for each service and its status to trigger with service,bad and generate an alert but the page is dynamic and updates are made often. Each event extraction would then be static and always manual updates. While I want this to be as dynamic as possible to be able to handle additional services as necessary as the service list grows.