How to extract Docker Daemon json data into proper fields

kvnvkumar — Thu, 17 Oct 2019 09:17:47 GMT

Hi All,

the below is the one event in splunk. How to extract MSG, PromotionId, requestId, status, command fields

{ [-]
log: 2019-10-15 11:56:47.047 INFO paXXX-command-service:ppe [XXXXXX,baff9b4ace879603,baff9b4ace879603] 23 --- [cb-computations-10] c.t.a.p.d.c.CommandStatusHandler : MSG=successfully saved command status, command=CreateXXXX, step=handle, commandStatusId=a570668b-eaa9-44ed-ac90-ac1de811e14a, promotionId=null, status=success, requestId=c5d33666-ecce-4fb1-967c-a71c5621e79e

stream: stdout
time: 2019-10-15T11:56:47.0473056Z
}

Re: How to extract Docker Daemon json data into proper fields

poete — Thu, 07 Nov 2019 07:20:34 GMT

Hello @kvnvkumar ,

First use spath to extract the log field from the event, and then use rex to extract the fields.

Please find below a working example.

| makeresults 
| eval _raw="{\"log\": \"2019-10-15 11:56:47.047 INFO paXXX-command-service:ppe [XXXXXX,baff9b4ace879603,baff9b4ace879603] 23 --- [cb-computations-10] c.t.a.p.d.c.CommandStatusHandler : MSG=successfully saved command status, command=CreateXXXX, step=handle, commandStatusId=a570668b-eaa9-44ed-ac90-ac1de811e14a, promotionId=null, status=success, requestId=c5d33666-ecce-4fb1-967c-a71c5621e79e\",\"stream\": \"stdout\",\"time\": \"2019-10-15T11:56:47.0473056Z\"}"
| spath
| rex field=log "MSG=(?<MSG>[A-Aa-z ]+)"
| rex field=log "promotionId=(?<PromotionId>[A-Za-z0-9 ]+),"
| rex field=log "requestId=(?<requestId>[A-Za-z0-9 -]+)"
| rex field=log "command=(?<command>[A-Za-z0-9 -]+),"

topic How to extract Docker Daemon json data into proper fields in Getting Data In

How to extract Docker Daemon json data into proper fields

Re: How to extract Docker Daemon json data into proper fields