topic Re: extract data in Knowledge Management

How to extract data?

vineela — Thu, 05 Jan 2023 21:19:31 GMT

i need to extract one field whichis not having as field value pair and i have to distinguish the logs based on that particular field.

Here is the example log:
{"log":"[10:30:04.075] [INFO ] [] [c.c.n.b.i.DefaultBusinessEventService] [akka://MmsAuCluster/system/sharding/notificationAuthBpmn/4/nmT9K3rySjyoHHzxO9jHnQ_4/nmT9K3rySjyoHHzxO9jHnQ] - method=prepare; triggerName=approvalStart, entity={'id'='0f86c9007ff511ed82ffd13c4d1f79a9a07ff511ed82ffd13c4d173b0a','eventCode'='approval','paymentSystemId'='MMS','servicingAgentBIC'='null','messageIdentification'='0f86ff511ed82ffd13c4d173b0a','businessDomainName'='Mandate','catalogCode'='AN','functionCode'='APAL_INTERACTION'}

Above log is the example here i have extracted other fields in log which has field value pairs like triggername,eventcode and all.

But i need to filter log for "c.c.n.b.i.DefaultBusinessEventService" and info logs.
Can anyone help me out ..how to filter logs based on above information.

thanks in advance

Re: extract data

gcusello — Thu, 05 Jan 2023 09:26:12 GMT

Hi @vineela,

this seems to be a json log so you can use the spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath), otherwise you can use this regex:

| rex "^[^\[]+\[[^\]]+\]\s+\[(?<log_level>[^\]]+)\]\s+\[[^\]]*\]\s+(?<your_field>[^\]]+)"

That you can test at https://regex101.com/r/xkkVfi/1

Ciao.

Giuseppe

Re: extract data

vineela — Mon, 09 Jan 2023 09:00:50 GMT

Thanks for your reply gcusello...That works great splunk champ

Re: extract data

gcusello — Mon, 09 Jan 2023 09:10:45 GMT

Hi @vineela,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉