topic Extract json from event if the event contains the string in Splunk Enterprise

Extract json from event if the event contains the string

karthi25 — Wed, 10 Jun 2020 14:56:26 GMT

I have following events in splunk log

{ [-]
   log: {"@timestamp":"2019-11-18T16:02:16.080-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [20191118-160215~0.txt,  20191118-160215~0.txt.gz, ~20191118-160215~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T00:02:16.08107067Z
}
{ [-]
   log: {"@timestamp":"2019-11-19T04:06:07.008-08:00","@version":1,"message":"Processing Ended at 2019-11-19T04:06:07.008-08:00","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T12:06:07.008346529Z
}

{ [-]
   log: {"@timestamp":"2019-11-16T16:00:00.658-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191116-160000~0.txt,  20191116-160000~0.txt.gz,  20191116-160000~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-17T00:00:00.658656167Z
}

{ [-]
   log: {"@timestamp":"2019-11-15T16:00:00.565-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-16T00:00:00.566173395Z
}

Now, I want to extract message,app_name,level from the log only when the message contains the string "Files Succesfully Moved To S3 Bucket".
I already tried the following query:

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" | table APP_NAME,level,message

but it doesn't returns anything.

Re: Extract json from event if the event contains the string

aberkow — Wed, 20 Nov 2019 00:52:43 GMT

If they're all in the form of "message":"Files Successfully Moved to S3 Bucket*", have you tried that as your search clause?

Re: Extract json from event if the event contains the string

to4kawa — Wed, 20 Nov 2019 01:22:28 GMT

| makeresults 
| eval _raw=" { 
    \"log\": {\"@timestamp\": \"2019-11-15T16:00:00.565-08:00\",
    \"@version\": 1,
    \"message\": \"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]\",
    \"logger_name\": \"FileGenerator\",
    \"thread_name\": \"scheduling-1\",
    \"level\": \"INFO\",
    \"level_value\": 20000,
    \"APP_NAME\": \"schedule\"},
    \"stream\": \"stdout\",
    \"time\": \"2019-11-16T00:00:00.566173395Z\"
 }" 
| spath

Hi, As you can see from the example, the field names are different.

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" 
| table log.APP_NAME, log.level, log.message

How about it?

Re: Extract json from event if the event contains the string

woodcock — Wed, 20 Nov 2019 23:46:36 GMT

Try this:

 index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket"
| rename log AS _raw
| kv
| table APP_NAME,level,message