topic Re: Is there any possibility to split the value from the message field, like teamName, ID as a different field? in Getting Data In

Is there any possibility to split the value from the message field, like teamName, ID as a different field?

JGP — Tue, 04 Apr 2023 10:37:13 GMT

is there any possibility to split the value from the message field, like teamName, ID as a different field.

Re: customized Fields

gcusello — Tue, 04 Apr 2023 08:01:59 GMT

Hi @JGP,

yes it's possible but I need a sample of the event in text format, not screenshot, highlighting the fields to extract.

Put the samples using "Insert Edit Code Sample" button.

Ciao.

Giuseppe

Re: customized Fields

ITWhisperer — Tue, 04 Apr 2023 08:53:32 GMT

| spath message | spath input=message

Re: customized Fields

JGP — Tue, 04 Apr 2023 09:09:36 GMT

where to find the button?

sample event for ref.

appid: 111111
cluster: abcdefgh
container_id: c44444444444444444444455555555555566666
container_image: docker-dev-local.artifactrepository.**************.net/*********-project-111111/********************:master-55-c3444444
container_image_id: docker-dev-local.artifactrepository.********.net/*********-project-111111/******@s*************************
container_name: ecs-***************
environment: dev
hosting_env: *******
hostname: app-14.********.ecs.*******
level: debug
log_type: app_containers
logroute: *******************
message: {"timestamp":"2023-03-30T12:29:51.684Z","msg":"REQUEST DATA : GET /generic/healthcheck, client=1.1.1.1]","logClass":"org.springframework.web.filter.CommonsRequestLoggingFilter","threadID":"http-nio-9099-exec-9","logLevel":"DEBUG","ID":"111111","teamName":"SL"}
namespace_id: 00000000000000000000000000000
namespace_name: ************************
openshift: { [+]
}
ose_workload: dev
pod_id: 1111111111111111111111111
pod_ip: 11.11.11.111
pod_name: **********************
sector: *******
timestamp: 2023-03-30T12:29:51.684743385+00:00

Re: customized Fields

Icecream123 — Tue, 04 Apr 2023 09:41:38 GMT

Hi,

You can try to perform regex on the field to get the required values from the field. The below if a sample regex to extract the loglevel or teamName or ID. (need to optimize further accordingly.)

|rex field=_raw ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>\S*)","teamName":"(?<teamname>\w*)"

If the message field is already extracted you can try:

|rex field=message ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>111111)","teamName":"(?<teamname>\w*)"

Hope this is what you are looking to do!

Re: Is there any possibility to split the value from the message field, like teamName, ID as a different field?

JGP — Fri, 07 Apr 2023 05:37:20 GMT

by any chance if we extract field "teamName", "ID " with the rex command can come under the event that pasted in the original post just like under message , namespace_id , namespace_name , .....?

Re: Is there any possibility to split the value from the message field, like teamName, ID as a different field?

JGP — Tue, 11 Apr 2023 04:17:52 GMT

any recommendations? we need those extracted fields to be come under the event details same like below message , namespace_id , namespace_name , .....?

Re: Is there any possibility to split the value from the message field, like teamName, ID as a different field?

yeahnah — Tue, 11 Apr 2023 04:44:36 GMT

Hi @JGP

It's a little ugly but since the message field looks to be valid JSON, you could do this...

... ``` backup event then rename message field to _raw ``` | eval raw=_raw | rename message AS _raw | extract ``` extract the json from _raw - n.b. it only works on _raw field ``` ``` rename _raw back to message, reset _raw event back to original and remove copy ``` | rename _raw AS message | eval _raw=raw | fields - raw

Not sure how well it scales on big data sets.

Anyway, hope it helps