topic Re: Create seperate field from Message in Dashboards & Visualizations

Create seperate field from Message

Emre — Wed, 18 Jun 2025 08:41:01 GMT

Good day everyone, ia m new to Splunk and i need some suggestions.
We are sending our Mendix logs to SplunkCloud, but our logs are sent to Splunk as a single event.
Is that possible for me to extract the fields from the message part? Example
Module:SplunkTest
Microflow: ACT_Omnext_Create
latesteror_message:Access denied..
http status: 401
Http reasonphrase Access denied...
Or is this data should be structured from Mendix and send to Splunk?
Thanks for any suggestion.

Re: Create seperate field from Message

PrewinThomas — Wed, 18 Jun 2025 08:50:23 GMT

@Emre
You can use Splunk’s Field Extractions (props/transforms) or rex in your SPL to extract fields at search time
For Eg:
| rex field=_raw "Module:(?<Module>[^\n]+)"
| rex field=_raw "Microflow:\s*(?<Microflow>[^\n]+)"
| rex field=_raw "latesteror_message:(?<latesteror_message>[^\n]+)"
| rex field=_raw "http status:\s*(?<http_status>\d+)"
| rex field=_raw "Http reasonphrase\s*(?<Http_reasonphrase>[^\n]+)"

But best practice is to structure the data at source itself.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Create seperate field from Message

gcusello — Wed, 18 Jun 2025 09:16:06 GMT

Hi @Emre ,

you should create some field extractions using regexes from the message field.

If you can share a sample of your data in text format (not screenshot), we can help you.

Ciao.

Giuseppe

Re: Create seperate field from Message

Emre — Wed, 18 Jun 2025 09:51:31 GMT

@gcusello Here you are, i hope it works.

This is the Message:

{"Module": SplunkTest""Microflow": ACT_Omnext_Create_Test""latesterror_message": "401: Access Denied at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)') Advanced stacktrace:"http_status": "401"http_response_content": "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }"http_reasonphrase": "Access Denied"session_id": "912651c4-127f-4f02-a348-c79373e84444}

What i want is

app:

application_name:

env:

environment_id:

hostname:

instance index

level: ERROR

Module: SplunkTest

Microflow:ACT_Omnext_Create_Test

latesterror_message: 401: Access Denied at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)')

http_status: 401

http_response_content: "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }

http_reasonphrase: Access Denied

session_id: "1111111-127f-4f02-a348-c79373e86a5d}

Re: Create seperate field from Message

gcusello — Wed, 18 Jun 2025 11:05:19 GMT

Hi @Emre ,

beware because this seems to be a json file, and the raw text is different than the one you display (there are backslashes before each quotes),

Then I suppose that you missed some quotes copying the text because there are not closed quotes.

then, please put this text using the Insert/Edit Code Sample button "</>"

Ciao.

Giuseppe

Re: Create seperate field from Message

livehybrid — Wed, 18 Jun 2025 11:53:16 GMT

Hi @Emre

Try the following:

| eval message=json_extract(_raw,"message") | spath input=message

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing