https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579794#M47485 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp; Thanks a lot. It helped to filter out the following info(<SPAN>views into failed mounts and types of failures(views into failed mounts and types of failures</SPAN>). However, im scratching my head to get the following info from the events, but not getting any clue to filter it out.</P><UL><LI>Realtime views around created/started containers/pod and failures</LI><LI>Realtime views on image pulls, success, backoffs, failures, denies</LI></UL><P>How can i attach the events list csv file here?</P> Mon, 03 Jan 2022 15:13:27 GMT karthiklen 2022-01-03T15:13:27Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579545#M47444 <P>Currently it's difficult to parse out the details of Cluster events in Splunk, to enable more useful Dashboard panels. Looking for suggestions to figure out a way to extract from the splunk event.go events, the columns that we would see when we run "oc get events" on a cluster; <STRONG>namespace, last seen, type, reason, object, message.</STRONG></P><P>Once we can extract those fields and make available as variables for splunk stats/tables/timechart, we can put some useful panels together to gauge plant health.</P><UL><LI>Realtime views around created/started containers/pod and failures</LI><LI>Realtime views around job start/failure/complete</LI><LI>Realtime views into failed mounts and types of failures</LI><LI>Realtime views on image pulls, success, backoffs, failures, denies</LI></UL><P>Appreciate the help with any docs/leads and high level ideas to achieve this please.</P><P>Sample Events:</P><P>Time Event</P><TABLE><TBODY><TR><TD>&nbsp;</TD><TD><SPAN class=""><SPAN>12/30/21</SPAN><BR /><SPAN>1:59:07.000 AM</SPAN></SPAN></TD><TD><DIV class=""><DIV class="">&nbsp;</DIV><DIV class="">&lt;<SPAN class="">135</SPAN>&gt;<SPAN class="">Dec</SPAN> <SPAN class="">30</SPAN> <SPAN class="">06:59:07</SPAN> <SPAN class="">9000n2.nodes.com</SPAN> <SPAN class="">kubernetes.var.log.containers.ku:</SPAN> <SPAN class="">namespace_name=openshift-kube-controller-manager</SPAN>, <SPAN class="">container_name=kube-controller-manager</SPAN>, <SPAN class="">pod_name=kube-controller-manager-9000n2.nodes.com</SPAN>, <SPAN class="">message=I1230</SPAN> <SPAN class="">06:58:56.139184</SPAN> <SPAN class="">1</SPAN> <SPAN class=""><SPAN class="">event.go</SPAN>:291</SPAN>] "<SPAN class="">Event</SPAN> <SPAN class="">occurred</SPAN>" <SPAN class="">object=</SPAN>"<SPAN class="">openshift-logging/elasticsearch-im-infra</SPAN>" <SPAN class="">kind=</SPAN>"<SPAN class="">CronJob</SPAN>" <SPAN class="">apiVersion=</SPAN>"<SPAN class="">batch/v1beta1</SPAN>" <SPAN class="">type=</SPAN>"<SPAN class="">Warning</SPAN>" <SPAN class="">reason=</SPAN>"<SPAN class="">FailedNeedsStart</SPAN>" <SPAN class="">message=</SPAN>"<SPAN class="">Cannot</SPAN> <SPAN class="">determine</SPAN> <SPAN class="">if</SPAN> <SPAN class="">job</SPAN> <SPAN class="">needs</SPAN> <SPAN class="">to</SPAN> <SPAN class="">be</SPAN> <SPAN class="">started:</SPAN> <SPAN class="">too</SPAN> <SPAN class="">many</SPAN> <SPAN class="">missed</SPAN> <SPAN class="">start</SPAN> <SPAN class="">time</SPAN> (&gt; <SPAN class="">100</SPAN>)<SPAN class="">.</SPAN> <SPAN class="">Set</SPAN> <SPAN class="">or</SPAN> <SPAN class="">decrease</SPAN> <SPAN class="">.spec.startingDeadlineSeconds</SPAN> <SPAN class="">or</SPAN> <SPAN class="">check</SPAN> <SPAN class="">clock</SPAN> <SPAN class="">skew"</SPAN></DIV></DIV><DIV class=""><UL class=""><LI><SPAN class="">host =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A title="laas-agent-log-forwarder-6dddb6d69c-95t4b" href="https://secure-splunk-ei.ms.com/en-US/app/search/search?q=search%20index%3Dlog-135473-prod%20event.go%20NOT%20%22l0.ms.com%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1640847563.26206_E2314982-117F-41CC-A2EF-3C5AEB241C6A#" target="_blank" rel="noopener">laas-agent-log-forwarder-6dddb6d69c-95t4b</A></SPAN></LI><LI><SPAN class="">source =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A title="/namespace/openshift-kube-controller-manager" href="https://secure-splunk-ei.ms.com/en-US/app/search/search?q=search%20index%3Dlog-135473-prod%20event.go%20NOT%20%22l0.ms.com%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1640847563.26206_E2314982-117F-41CC-A2EF-3C5AEB241C6A#" target="_blank" rel="noopener">/namespace/openshift-kube-controller-manager</A></SPAN></LI><LI><SPAN class="">sourcetype =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A title="ocpprod.steppingstone-infra1-pod1-devin1-openshift-kube-controller-manager:application" href="https://secure-splunk-ei.ms.com/en-US/app/search/search?q=search%20index%3Dlog-135473-prod%20event.go%20NOT%20%22l0.ms.com%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1640847563.26206_E2314982-117F-41CC-A2EF-3C5AEB241C6A#" target="_blank" rel="noopener">ocpprod.stepping-infra-openshift-kube-controller-manager:application</A></SPAN></LI></UL></DIV></TD></TR><TR><TD>&nbsp;</TD><TD><SPAN class=""><SPAN>12/30/21</SPAN><BR /><SPAN>1:59:07.000 AM</SPAN></SPAN></TD><TD><DIV class=""><DIV class="">&nbsp;</DIV><DIV class="">&lt;<SPAN class="">135</SPAN>&gt;<SPAN class="">Dec</SPAN> <SPAN class="">30</SPAN> <SPAN class="">06:59:07</SPAN> <SPAN class="">9000n2.nodes.com</SPAN> <SPAN class="">kubernetes.var.log.containers.ku:</SPAN> <SPAN class="">namespace_name=openshift-kube-controller-manager</SPAN>, <SPAN class="">container_name=kube-controller-manager</SPAN>, <SPAN class="">pod_name=kube-controller-manager-9000n2.nodes.com</SPAN>, <SPAN class="">message=I1230</SPAN> <SPAN class="">06:58:56.133312</SPAN> <SPAN class="">1</SPAN> <SPAN class=""><SPAN class="">event.go</SPAN>:291</SPAN>] "<SPAN class="">Event</SPAN> <SPAN class="">occurred</SPAN>" <SPAN class="">object=</SPAN>"<SPAN class="">openshift-logging/elasticsearch-im-audit</SPAN>" <SPAN class="">kind=</SPAN>"<SPAN class="">CronJob</SPAN>" <SPAN class="">apiVersion=</SPAN>"<SPAN class="">batch/v1beta1</SPAN>" <SPAN class="">type=</SPAN>"<SPAN class="">Warning</SPAN>" <SPAN class="">reason=</SPAN>"<SPAN class="">FailedNeedsStart</SPAN>" <SPAN class="">message=</SPAN>"<SPAN class="">Cannot</SPAN> <SPAN class="">determine</SPAN> <SPAN class="">if</SPAN> <SPAN class="">job</SPAN> <SPAN class="">needs</SPAN> <SPAN class="">to</SPAN> <SPAN class="">be</SPAN> <SPAN class="">started:</SPAN> <SPAN class="">too</SPAN> <SPAN class="">many</SPAN> <SPAN class="">missed</SPAN> <SPAN class="">start</SPAN> <SPAN class="">time</SPAN> (&gt; <SPAN class="">100</SPAN>)<SPAN class="">.</SPAN> <SPAN class="">Set</SPAN> <SPAN class="">or</SPAN> <SPAN class="">decrease</SPAN> <SPAN class="">.spec.startingDeadlineSeconds</SPAN> <SPAN class="">or</SPAN> <SPAN class="">check</SPAN> <SPAN class="">clock</SPAN> <SPAN class="">skew"</SPAN></DIV></DIV><DIV class=""><UL class=""><LI><SPAN class="">host =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A title="laas-agent-log-forwarder-6dddb6d69c-95t4b" href="https://secure-splunk-ei.ms.com/en-US/app/search/search?q=search%20index%3Dlog-135473-prod%20event.go%20NOT%20%22l0.ms.com%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1640847563.26206_E2314982-117F-41CC-A2EF-3C5AEB241C6A#" target="_blank" rel="noopener">laas-agent-log-forwarder-6dddb6d69c-95t4b</A></SPAN></LI><LI><SPAN class="">source =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A title="/namespace/openshift-kube-controller-manager" href="https://secure-splunk-ei.ms.com/en-US/app/search/search?q=search%20index%3Dlog-135473-prod%20event.go%20NOT%20%22l0.ms.com%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1640847563.26206_E2314982-117F-41CC-A2EF-3C5AEB241C6A#" target="_blank" rel="noopener">/namespace/openshift-kube-controller-manager</A></SPAN></LI><LI><SPAN class="">sourcetype =</SPAN><SPAN>&nbsp;</SPAN><SPAN class=""><A title="ocpprod.steppingstone-infra1-pod1-devin1-openshift-kube-controller-manager:application" href="https://secure-splunk-ei.ms.com/en-US/app/search/search?q=search%20index%3Dlog-135473-prod%20event.go%20NOT%20%22l0.ms.com%22&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-60m%40m&amp;latest=now&amp;sid=1640847563.26206_E2314982-117F-41CC-A2EF-3C5AEB241C6A#" target="_blank" rel="noopener">ocpprod.stepping-infra-openshift-kube-controller-manager:application</A></SPAN></LI></UL></DIV></TD></TR></TBODY></TABLE> Thu, 30 Dec 2021 07:10:46 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579545#M47444 karthiklen 2021-12-30T07:10:46Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579547#M47445 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241817">@karthiklen</a>,</P><P>let me understand: you have problems to extract the needed fields from your logs or what else?</P><P>If this is your need, please try this regex to create a field extraction to use in all your panels:</P><LI-CODE lang="markup">^\&lt;\d+\&gt;(?&lt;last_seen&gt;\w+\s+\d+\s+\d+:\d+:\d+).*namespace_name\=(?&lt;namespace_name&gt;[^,]+),\s+container_name\=(?&lt;container_name&gt;[^,]+),\s+pod_name\=(?&lt;pod_name&gt;[^,]+),\s+message\=(?&lt;message1&gt;[^\]]+).*object\=\"(?&lt;object&gt;[^\"]+)\"\s+kind\=\"(?&lt;kind&gt;[^\"]+)\"\s+apiVersion\=\"(?&lt;apiVersion&gt;[^\"]+)\"\s+type\=\"(?&lt;type&gt;[^\"]+)\"\s+reason\=\"(?&lt;reason&gt;[^\"]+)\"\s+message\=\"(?&lt;message2&gt;[^\"]+)\"</LI-CODE><P>That you can test at&nbsp;<A href="https://regex101.com/r/OmVEZl/1" target="_blank">https://regex101.com/r/OmVEZl/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 30 Dec 2021 07:31:07 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579547#M47445 gcusello 2021-12-30T07:31:07Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579555#M47446 <P>Thanks much&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Yeah, your understand is correct. Need to extract the required fields(<STRONG>namespace, last seen, type, reason, object, message</STRONG>) from the sample log and use those fields to create different new panels.</P><P>The search query which you provided seems promising and helpful.&nbsp;</P><P>Does below query looks good?</P><P>index=log-135473-prod event.go NOT "l0.ms.com" <STRONG>| rex field=_raw</STRONG> ^\&lt;\d+\&gt;(?&lt;last_seen&gt;\w+\s+\d+\s+\d+:\d+:\d+).*namespace_name\=(?&lt;namespace_name&gt;[^,]+),\s+container_name\=(?&lt;container_name&gt;[^,]+),\s+pod_name\=(?&lt;pod_name&gt;[^,]+),\s+message\=(?&lt;message1&gt;[^\]]+).*object\=\"(?&lt;object&gt;[^\"]+)\"\s+kind\=\"(?&lt;kind&gt;[^\"]+)\"\s+apiVersion\=\"(?&lt;apiVersion&gt;[^\"]+)\"\s+type\=\"(?&lt;type&gt;[^\"]+)\"\s+reason\=\"(?&lt;reason&gt;[^\"]+)\"\s+message\=\"(?&lt;message2&gt;[^\"]+)\"</P><P>Also, How can i get new fields named cluster_namespace=&nbsp;<SPAN class="">openshift-logging and cluster_podname=elasticsearch-im-infra from below field? considering "/" as a separator here</SPAN></P><P><SPAN class="">object=</SPAN><SPAN>"</SPAN><SPAN class="">openshift-logging/elasticsearch-im-infra</SPAN><SPAN>"&nbsp;</SPAN></P> Thu, 30 Dec 2021 08:17:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579555#M47446 karthiklen 2021-12-30T08:17:05Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579557#M47447 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241817">@karthiklen</a>,</P><P>if you're interested to maintain the object field, you could use something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=log-135473-prod event.go NOT "l0.ms.com" | rex field=_raw ^\&lt;\d+\&gt;(?&lt;last_seen&gt;\w+\s+\d+\s+\d+:\d+:\d+).*namespace_name\=(?&lt;namespace_name&gt;[^,]+),\s+container_name\=(?&lt;container_name&gt;[^,]+),\s+pod_name\=(?&lt;pod_name&gt;[^,]+),\s+message\=(?&lt;message1&gt;[^\]]+).*object\=\"(?&lt;object&gt;[^\"]+)\"\s+kind\=\"(?&lt;kind&gt;[^\"]+)\"\s+apiVersion\=\"(?&lt;apiVersion&gt;[^\"]+)\"\s+type\=\"(?&lt;type&gt;[^\"]+)\"\s+reason\=\"(?&lt;reason&gt;[^\"]+)\"\s+message\=\"(?&lt;message2&gt;[^\"]+)\" | rex field=object "^(?&lt;cluster_namespace&gt;[^\/]+)\/(?&lt;cluster_podname&gt;.*)"</LI-CODE><P>&nbsp;</P><P>or, otherwise, if you want to use one single regex, you could use:</P><P>&nbsp;</P><LI-CODE lang="markup">^\&lt;\d+\&gt;(?&lt;last_seen&gt;\w+\s+\d+\s+\d+:\d+:\d+).*namespace_name\=(?&lt;namespace_name&gt;[^,]+),\s+container_name\=(?&lt;container_name&gt;[^,]+),\s+pod_name\=(?&lt;pod_name&gt;[^,]+),\s+message\=(?&lt;message1&gt;[^\]]+).*object\=\"(?&lt;cluster_namespace&gt;[^\/]+)\/(?&lt;cluster_podname&gt;[^\"]+)\"\s+kind\=\"(?&lt;kind&gt;[^\"]+)\"\s+apiVersion\=\"(?&lt;apiVersion&gt;[^\"]+)\"\s+type\=\"(?&lt;type&gt;[^\"]+)\"\s+reason\=\"(?&lt;reason&gt;[^\"]+)\"\s+message\=\"(?&lt;message2&gt;[^\"]+)\"</LI-CODE><P>&nbsp;</P><P>That you can test at <A href="https://regex101.com/r/DyPs7h/1" target="_blank">https://regex101.com/r/DyPs7h/1</A></P><P>Ciao.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 30 Dec 2021 08:30:55 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579557#M47447 gcusello 2021-12-30T08:30:55Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579559#M47448 <P>Hi</P><P>You can get those with this</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;135&gt;Dec 30 06:59:07 9000n2.nodes.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-9000n2.nodes.com, message=I1230 06:58:56.139184 1 event.go:291] \"Event occurred\" object=\"openshift-logging/elasticsearch-im-infra\" kind=\"CronJob\" apiVersion=\"batch/v1beta1\" type=\"Warning\" reason=\"FailedNeedsStart\" message=\"Cannot determine if job needs to be started: too many missed start time (&gt; 100). Set or decrease .spec.startingDeadlineSeconds or check clock skew\" &lt;135&gt;Dec 30 06:59:07 9000n2.nodes.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-9000n2.nodes.com, message=I1230 06:58:56.133312 1 event.go:291] \"Event occurred\" object=\"openshift-logging/elasticsearch-im-audit\" kind=\"CronJob\" apiVersion=\"batch/v1beta1\" type=\"Warning\" reason=\"FailedNeedsStart\" message=\"Cannot determine if job needs to be started: too many missed start time (&gt; 100). Set or decrease .spec.startingDeadlineSeconds or check clock skew\"" | multikv noheader=t ``` above generate sample data based on your example. You should change this to your base query``` | rex field=_raw "^\&lt;\d+\&gt;(?&lt;last_seen&gt;\w+\s+\d+\s+\d+:\d+:\d+).* namespace_name=(?&lt;namespace_name&gt;[^,]+),\s+container_name=(?&lt;container_name&gt;[^,]+),\s+pod_name=(?&lt;pod_name&gt;[^,]+),\s+message=(?&lt;message1&gt;[^\]]+).*object=\"(?&lt;object&gt;[^\"]+)\"\s+kind=\"(?&lt;kind&gt;[^\"]+)\"\s+apiVersion=\"(?&lt;apiVersion&gt;[^\"]+)\"\s+type=\"(?&lt;type&gt;[^\"]+)\"\s+reason=\"(?&lt;reason&gt;[^\"]+)\"\s+message=\"(?&lt;message2&gt;[^\"]+)\"" | rex field=object "(?&lt;cluster_namespace&gt;[^/]+)/(?&lt;cluster_podname&gt;(.*))" | table namespace_name, last_seen, type, reason, object, cluster_namespace, cluster_podname,message1, message2</LI-CODE><P>r. Ismo&nbsp;</P> Thu, 30 Dec 2021 08:41:15 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579559#M47448 isoutamo 2021-12-30T08:41:15Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579794#M47485 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp; Thanks a lot. It helped to filter out the following info(<SPAN>views into failed mounts and types of failures(views into failed mounts and types of failures</SPAN>). However, im scratching my head to get the following info from the events, but not getting any clue to filter it out.</P><UL><LI>Realtime views around created/started containers/pod and failures</LI><LI>Realtime views on image pulls, success, backoffs, failures, denies</LI></UL><P>How can i attach the events list csv file here?</P> Mon, 03 Jan 2022 15:13:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579794#M47485 karthiklen 2022-01-03T15:13:27Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579795#M47486 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241817">@karthiklen</a>,</P><P>it isn't so easy to have a real time view taking logs from csv, maybe you should rethink the log ingestyion way!</P><P>Anyway, viewing your few events I cannot identify the creation/starting/failure events.</P><P>If you could share some events for each kind of event I could help you more.</P><P>Anyway, you could use the stats command to group events for each contaner/pod and use the eval to count only the ones for creation or failure events, so e.g. if the field where you can define the kind of event is "type": type=error for failures type=starting for start and so on, you could run something like this:</P><LI-CODE lang="markup">index=log-135473-prod event.go NOT "l0.ms.com" | rex field=_raw ^\&lt;\d+\&gt;(?&lt;last_seen&gt;\w+\s+\d+\s+\d+:\d+:\d+).*namespace_name\=(?&lt;namespace_name&gt;[^,]+),\s+container_name\=(?&lt;container_name&gt;[^,]+),\s+pod_name\=(?&lt;pod_name&gt;[^,]+),\s+message\=(?&lt;message1&gt;[^\]]+).*object\=\"(?&lt;object&gt;[^\"]+)\"\s+kind\=\"(?&lt;kind&gt;[^\"]+)\"\s+apiVersion\=\"(?&lt;apiVersion&gt;[^\"]+)\"\s+type\=\"(?&lt;type&gt;[^\"]+)\"\s+reason\=\"(?&lt;reason&gt;[^\"]+)\"\s+message\=\"(?&lt;message2&gt;[^\"]+)\" | rex field=object "^(?&lt;cluster_namespace&gt;[^\/]+)\/(?&lt;cluster_podname&gt;.*)" | stats count(eval(type="error")) AS failures count(eval(type="start")) AS startings BY container_name pod_name</LI-CODE><P>This is a sample to guide you.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 03 Jan 2022 15:24:48 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/579795#M47486 gcusello 2022-01-03T15:24:48Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580132#M47522 <P>Here are some events with Failed/SuccessfulCreate. But the challenge is that we need to filter out and make a stats of the events 'Failed/SuccessfulCreate' of kind= Replicaset/statefulset/Deployment/Daemonset.</P><P>Attached the raw events from one of the kubernetes cluster.&nbsp; The basic idea is get the stats of pod/containers failures/create statistics in splunk like we get from 'kubectl get events'</P><P>&nbsp;</P><P>&lt;135&gt;Jan 6 10:39:26 control1.ai1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.ai1-dev.dd.k8s.c0.ms.com, message=I0106 10:38:56.512561 1 event.go:291] "Event occurred" object="clp-monitoring/loki-distributed-gateway-6bcfd9dc99" kind="ReplicaSet" apiVersion="apps/v1" type="Warning" reason="FailedCreate" message="Error creating: admission webhook \"endorse-validating-webhook.ai1-dev.dd.k8s.c0.ms.com\" denied the request: Denying image infra1.kod.ms.com:5000/nginxinc/nginx-unprivileged:1.19-alpine from unrecognized image registry infra1.kod.ms.com:5000."<BR /><BR />&lt;135&gt;Jan 6 10:39:26 control1.ai1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.ai1-dev.dd.k8s.c0.ms.com, message=I0106 10:38:56.500812 1 event.go:291] "Event occurred" object="loki-distributed/loki-loki-distributed-gateway-599d76c47c" kind="ReplicaSet" apiVersion="apps/v1" type="Warning" reason="FailedCreate" message="Error creating: pods \"loki-loki-distributed-gateway-599d76c47c-\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001160000}: 1001160000 is not an allowed group spec.containers[0].securityContext.runAsUser: Invalid value: 1001160000: must be in the ranges: [1001040000, 1001049999]]"</P><P><BR />&lt;135&gt;Jan 6 10:39:26 control1.ai1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.ai1-dev.dd.k8s.c0.ms.com, message=I0106 10:38:56.499675 1 event.go:291] "Event occurred" object="loki-distributed/loki-loki-distributed-distributor-c886b96fc" kind="ReplicaSet" apiVersion="apps/v1" type="Warning" reason="FailedCreate" message="Error creating: pods \"loki-loki-distributed-distributor-c886b96fc-\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001160000}: 1001160000 is not an allowed group spec.containers[0].securityContext.runAsUser: Invalid value: 1001160000: must be in the ranges: [1001040000, 1001049999]]"</P><P>&lt;135&gt;Jan 6 10:36:51 control1.app9.hz.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.app9.hz.k8s.c0.ms.com, message=I0106 10:36:10.686055 1 event.go:291] "Event occurred" object="tigera-dex/tigera-dex-9d895b785" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Created pod: tigera-dex-9d895b785-9jdgv"</P><P>&lt;135&gt;Jan 6 10:19:08 control3.stepping-stone1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control3.stepping-stone1-dev.dd.k8s.c0.ms.com, message=I0106 10:18:48.721499 1 event.go:291] "Event occurred" object="git-mirror/git-mirror-morgan-stanley-cloud-git-mirror-0" kind="Pod" apiVersion="v1" type="Warning" reason="FailedAttachVolume" message="AttachVolume.Attach failed for volume \"pvc-9361ced0-07fe-4212-9e7d-9efdc6369fd0\" : CSINode dd9002c17n1.nodes.c0.ms.com does not contain driver csi.trident.netapp.io"</P><P>&lt;135&gt;Jan 6 14:04:23 control3.ai2-dev.dd.k8s.c0.ms.com fluentd: docker:{"container_id"=&gt;"cd60f994892219216651d53275d0eb4a1d1fee53cfd6f4ba50c48711297ee0d3"} kubernetes:{"container_name"=&gt;"kube-controller-manager", "namespace_name"=&gt;"openshift-kube-controller-manager", "pod_name"=&gt;"kube-controller-manager-control3.ai2-dev.dd.k8s.c0.ms.com", "pod_id"=&gt;"8429ce46-b305-4691-9258-98a7acb24e39", "host"=&gt;"control3.ai2-dev.dd.k8s.c0.ms.com", "master_url"=&gt;"<A href="https://kubernetes.default.svc" target="_blank">https://kubernetes.default.svc</A>", "namespace_id"=&gt;"13d0f6f3-67a7-4f90-90b5-20f0311a4c9c", "namespace_labels"=&gt;{"openshift_io/cluster-monitoring"=&gt;"true", "openshift_io/run-level"=&gt;"0"}, :flat_labels=&gt;["app=kube-controller-manager", "kube-controller-manager=true", "revision=15"]} message:I0106 14:04:21.415065 1 event.go:291] "Event occurred" object="cps/prometheus-xiaomin-test-o11y-prometheus-server-6c65f45c79" kind="ReplicaSet" apiVersion="apps/v1" type="Warning" reason="FailedCreate" message="Error creating: pods \"prometheus-xiaomin-test-o11y-prometheus-server-6c65f45c79-\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Forbidden: seccomp may not be set spec.containers[0].securityContext.runAsUser: Invalid value: 65535: must be in the ranges: [1000840000, 1000849999] pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/o11y-prometheus-server: Forbidden: seccomp may not be set]" level:unknown hostname:control3.ai2-dev.dd.k8s.c0.ms.com pipeline_metadata:{"collector"=&gt;{"ipaddr4"=&gt;"10.85.166.220", "inputname"=&gt;"fluent-plugin-systemd", "name"=&gt;"fluentd", "received_at"=&gt;"2022-01-06T14:04:22.323401+00:00", "version"=&gt;"1.7.4 1.6.0"}} @timestamp:2022-01-06T14:04:21.415092+00:00 viaq_index_name:infra-write viaq_msg_id:ZThjZjliMzYtZWY4NS00N2FmLWE5MTgtOGRmMTY4NWQ1MmMw</P> Thu, 06 Jan 2022 15:11:15 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580132#M47522 karthiklen 2022-01-06T15:11:15Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580396#M47543 <P>Appreciate any suggestions on this please.</P><P>&nbsp;</P> Mon, 10 Jan 2022 05:37:40 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580396#M47543 karthiklen 2022-01-10T05:37:40Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580407#M47545 <P>I'm not sure if this is suitable, but you could try this.</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;135&gt;Jan 6 10:39:26 control1.ai1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.ai1-dev.dd.k8s.c0.ms.com, message=I0106 10:38:56.512561 1 event.go:291] \"Event occurred\" object=\"clp-monitoring/loki-distributed-gateway-6bcfd9dc99\" kind=\"ReplicaSet\" apiVersion=\"apps/v1\" type=\"Warning\" reason=\"FailedCreate\" message=\"Error creating: admission webhook \\\"endorse-validating-webhook.ai1-dev.dd.k8s.c0.ms.com\\\" denied the request: Denying image infra1.kod.ms.com:5000/nginxinc/nginx-unprivileged:1.19-alpine from unrecognized image registry infra1.kod.ms.com:5000.\" &lt;135&gt;Jan 6 10:39:26 control1.ai1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.ai1-dev.dd.k8s.c0.ms.com, message=I0106 10:38:56.500812 1 event.go:291] \"Event occurred\" object=\"loki-distributed/loki-loki-distributed-gateway-599d76c47c\" kind=\"ReplicaSet\" apiVersion=\"apps/v1\" type=\"Warning\" reason=\"FailedCreate\" message=\"Error creating: pods \\\"loki-loki-distributed-gateway-599d76c47c-\\\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001160000}: 1001160000 is not an allowed group spec.containers[0].securityContext.runAsUser: Invalid value: 1001160000: must be in the ranges: [1001040000, 1001049999]]\" &lt;135&gt;Jan 6 10:39:26 control1.ai1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.ai1-dev.dd.k8s.c0.ms.com, message=I0106 10:38:56.499675 1 event.go:291] \"Event occurred\" object=\"loki-distributed/loki-loki-distributed-distributor-c886b96fc\" kind=\"ReplicaSet\" apiVersion=\"apps/v1\" type=\"Warning\" reason=\"FailedCreate\" message=\"Error creating: pods \\\"loki-loki-distributed-distributor-c886b96fc-\\\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001160000}: 1001160000 is not an allowed group spec.containers[0].securityContext.runAsUser: Invalid value: 1001160000: must be in the ranges: [1001040000, 1001049999]]\" &lt;135&gt;Jan 6 10:36:51 control1.app9.hz.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control1.app9.hz.k8s.c0.ms.com, message=I0106 10:36:10.686055 1 event.go:291] \"Event occurred\" object=\"tigera-dex/tigera-dex-9d895b785\" kind=\"ReplicaSet\" apiVersion=\"apps/v1\" type=\"Normal\" reason=\"SuccessfulCreate\" message=\"Created pod: tigera-dex-9d895b785-9jdgv\" &lt;135&gt;Jan 6 10:19:08 control3.stepping-stone1-dev.dd.k8s.c0.ms.com kubernetes.var.log.containers.ku: namespace_name=openshift-kube-controller-manager, container_name=kube-controller-manager, pod_name=kube-controller-manager-control3.stepping-stone1-dev.dd.k8s.c0.ms.com, message=I0106 10:18:48.721499 1 event.go:291] \"Event occurred\" object=\"git-mirror/git-mirror-morgan-stanley-cloud-git-mirror-0\" kind=\"Pod\" apiVersion=\"v1\" type=\"Warning\" reason=\"FailedAttachVolume\" message=\"AttachVolume.Attach failed for volume \\\"pvc-9361ced0-07fe-4212-9e7d-9efdc6369fd0\\\" : CSINode dd9002c17n1.nodes.c0.ms.com does not contain driver csi.trident.netapp.io\" &lt;135&gt;Jan 6 14:04:23 control3.ai2-dev.dd.k8s.c0.ms.com fluentd: docker:{\"container_id\"=&gt;\"cd60f994892219216651d53275d0eb4a1d1fee53cfd6f4ba50c48711297ee0d3\"} kubernetes:{\"container_name\"=&gt;\"kube-controller-manager\", \"namespace_name\"=&gt;\"openshift-kube-controller-manager\", \"pod_name\"=&gt;\"kube-controller-manager-control3.ai2-dev.dd.k8s.c0.ms.com\", \"pod_id\"=&gt;\"8429ce46-b305-4691-9258-98a7acb24e39\", \"host\"=&gt;\"control3.ai2-dev.dd.k8s.c0.ms.com\", \"master_url\"=&gt;\"https://kubernetes.default.svc\", \"namespace_id\"=&gt;\"13d0f6f3-67a7-4f90-90b5-20f0311a4c9c\", \"namespace_labels\"=&gt;{\"openshift_io/cluster-monitoring\"=&gt;\"true\", \"openshift_io/run-level\"=&gt;\"0\"}, :flat_labels=&gt;[\"app=kube-controller-manager\", \"kube-controller-manager=true\", \"revision=15\"]} message:I0106 14:04:21.415065 1 event.go:291] \"Event occurred\" object=\"cps/prometheus-xiaomin-test-o11y-prometheus-server-6c65f45c79\" kind=\"ReplicaSet\" apiVersion=\"apps/v1\" type=\"Warning\" reason=\"FailedCreate\" message=\"Error creating: pods \\\"prometheus-xiaomin-test-o11y-prometheus-server-6c65f45c79-\\\" is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{65534}: 65534 is not an allowed group pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Forbidden: seccomp may not be set spec.containers[0].securityContext.runAsUser: Invalid value: 65535: must be in the ranges: [1000840000, 1000849999] pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/o11y-prometheus-server: Forbidden: seccomp may not be set]\" level:unknown hostname:control3.ai2-dev.dd.k8s.c0.ms.com pipeline_metadata:{\"collector\"=&gt;{\"ipaddr4\"=&gt;\"10.85.166.220\", \"inputname\"=&gt;\"fluent-plugin-systemd\", \"name\"=&gt;\"fluentd\", \"received_at\"=&gt;\"2022-01-06T14:04:22.323401+00:00\", \"version\"=&gt;\"1.7.4 1.6.0\"}} @timestamp:2022-01-06T14:04:21.415092+00:00 viaq_index_name:infra-write viaq_msg_id:ZThjZjliMzYtZWY4NS00N2FmLWE5MTgtOGRmMTY4NWQ1MmMw" | multikv noheader=t | extract | rex "^&lt;\d+&gt;(?&lt;time&gt;\w+\s+\d+\s+\d+:\d+:\d+)\s+(?&lt;host&gt;[^\s]+)" | eval _time = strptime(time, "%b %e %H:%M:%S") | fields - time Column* | table _time host kind reason * _raw ``` Above makes test events ``` | stats count by kind reason</LI-CODE><P>&nbsp;</P><P>Maybe you should try some other way to ingest that data as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;proposed. In splunkbase there seems to be at least two different apps/TAs to analyse and monitor k8s logs.</P><P>r. Ismo</P> Mon, 10 Jan 2022 07:07:07 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580407#M47545 isoutamo 2022-01-10T07:07:07Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580557#M47553 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;&nbsp;</P><P>I have already got each fields extracted. Now, i have challenges with filtering out exact events related to pod and make the stats of pod/containers failures/create statistics in splunk like we get from 'kubectl get events'.</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;Do we have any&nbsp;<SPAN>apps/TAs to analyze&nbsp;and monitor k8s logs? All i need is a stats/table of events related to pod(with failures,created, imagepullbackoff, etc..) and of kind=Repliacaset/statefulset/deployment.</SPAN></P><P>Attached the raw events from one of the kubernetes cluster.&nbsp;&nbsp;</P> Tue, 11 Jan 2022 08:23:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580557#M47553 karthiklen 2022-01-11T08:23:06Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580558#M47554 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241817">@karthiklen</a>,</P><P>search in apps.splunk.com the Apps and TAs for Azure, probably you'll find what you need.</P><P>E,g, there's the Microsoft Azure App for Splunk (<A href="https://splunkbase.splunk.com/app/4882/" target="_blank">https://splunkbase.splunk.com/app/4882/</A>) that should answer to your need, put attention to the requirements of this app especially in terms of add-ons to install and how to configure it.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 11 Jan 2022 08:36:01 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580558#M47554 gcusello 2022-01-11T08:36:01Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580590#M47555 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Just understand that my firm doesnt allow to install external apps to achieve this.</P><P>Shall i request for a search query in secure-splunk itself to achieve this? Like i explained earlier, Just need a stats for pod health from the events already present in splunk.</P> Tue, 11 Jan 2022 12:13:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580590#M47555 karthiklen 2022-01-11T12:13:25Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580593#M47556 Maybe you could download it to your own workstation and then look it and use it as a "source of your inspiration" ;-? Tue, 11 Jan 2022 12:18:15 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580593#M47556 isoutamo 2022-01-11T12:18:15Z https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580594#M47557 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241817">@karthiklen</a>,</P><P>even if you cannot install new apps or TAs, you can find in those apps the configurations and dashboards useful for your requirements, instead of to study Azure logs!</P><P>Ciao.</P><P>Giuseppe</P> Tue, 11 Jan 2022 12:25:51 GMT https://community.splunk.com/t5/Dashboards-Visualizations/how-to-parse-Events-in-splunk-for-more-useful-dashboard-panels/m-p/580594#M47557 gcusello 2022-01-11T12:25:51Z