topic Re: How to Extract the field from raw data in Dashboards & Visualizations

How to Extract the field from raw data

aditsss — Tue, 04 May 2021 06:28:21 GMT

Hi Everyone,

Can someone guide me how to extract the filed from raw data.(The field highlighted in bold)

2021-05-03T20:34:46.574469127Z app_name=blazegqlgway-a environment=e2 ns=blazegateway pod_container=blazegqlgway-a pod_name=blazegqlgway-a-deployment-11-5sk6b stream=stdout message=2021-05-03 13:34:46.574 INFO [dgfgateway,c6e3e9be5ff5499a,c6e3e9be5ff5499a,true] 1 --- [nio-8443-exec-7] c.a.s.g.s.h.ResponseRetrieverService : nodeUrl=https://abc/graphql, caller=200000949GCPSfdcCommerical, nodeHttpStatus=200, nodeResponseTime=691

2021-05-03T10:04:33.485822671Z app_name=blazegqlgway-a environment=e2 ns=blazegateway pod_container=blazegqlgway-a pod_name=blazegqlgway-a-deployment-11-5sk6b stream=stdout message=2021-05-03 03:04:33.485 INFO [dgfgateway,68cdbc43702536b4,68cdbc43702536b4,true] 1 --- [nio-8443-exec-7] c.a.s.g.s.h.ResponseRetrieverService : nodeUrl=https://jkl/graphql, caller=200000949GCPSfdcCommerical, nodeHttpStatus=200, nodeResponseTime=615

Thanks in advance

Re: How to Extract the field from raw data

bowesmana — Tue, 04 May 2021 06:38:50 GMT

Use rex

| rex field=_raw "message=(?<messageTime>\d+-\d+-\d+\s\d+:\d+:\d+\.\d+)"

but depending on how you have set up your ingestion, it's likely that Splunk is already finding the event time field from the timestamp of the event at the start of the raw data. Is that always the same. If so, you can use just _time.

Re: How to Extract the field from raw data

aasabatini — Tue, 04 May 2021 06:56:43 GMT

Hi @aditsss

in this case I suggest to use the extract key-value extraction

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Automatickey-valuefieldextractionsatsearch-time

most of your log is managed like this

key="value" key2="value"

in this case you can set this on your props.conf under the sourcetype stanza

KV_MODE = auto