topic need to help to extract few fields in Splunk Search

need to help to extract few fields

pench2k19 — Wed, 30 Sep 2020 05:23:20 GMT

Hi Team,

I have the following as raw event

INFO : [0:HLog][20200507 12:25:25.739 -0400] [CFarmdHealth.java:538] +1{"garbage_collec: {"total_collections_time":16539,"last_minute_collections":5,"last_minute_collections_time.:38,"totalcollections":2313},"current_state":
{"event_processing_metric":0.6647058823529413,"message_queues":{"maintenanceWindowManager":"0/-","Hibernate":"0/-","Default Cookbook":"0/-","Alert Workflows":"0/-",.StatCollector":"0/-","bus_thread_pool":"0/-","Event Workflows":"0/-","SituationMgr":"0/-","SituationRootCause":"0/-","Remedy":.0/-","AlertBuilder":"0/-","TeamsMgr":"0/-","xMatters":"0/-","Housekeeper":"0/-","Situation Workflows":"0/-","Indexer":"0/-","MaintManager":"0/-","NCAlertBuilder":"0/-","SMCEnricher":"0/-","xmattersINS":"0/-",.AlertRulesEngine":"0/-"},"in_memory_entropies.:781,"cookbook_resolu _queue":0,"active_async_tasks_count":0},"interval_totals":{"created events":621,"created_external_situations.:0,"created_situations":0,"messages_processed": {"maintenanceWindowManager":621,"Default Cookbook":548,"Alert Workflows":621,"StatCollector":0,"Event Workflows":597,"situationRootCause":0,"SituationMgr":0,"AlertBuilder":597,"TeamsMgr":0,"xMatters":0,"Indexer":666,"Situation Workflows":0,"maintManager":666,"SMCEnricher":621,NCAlertBuilder":597,xMattersINS":0,"AlertRulesEngine":548},"alerts_added_to situations":0,"situation_db_update_failure":0},JVM_memor] {"heap_used":314179032,"heap_committed":488636416,"heap_init":195035136,"nonheap_committed":290652160,"heap_max":3107979264,"nonheap_init":7667712,"nonheap_used":263293720,"nonheap_max" 1},"totals":{"created_events":178016,"created_external_situations":0,"created_situations":0,"alerts_added_to situations":0,"situation_db_update_failure":0}}1+

Now i have to build the kind of tables in the attachment out of above highlighted text in the event, Can you please help

Re: need to help to extract few fields

pench2k19 — Sat, 09 May 2020 09:01:34 GMT

@jkat54 @woodcock @sideview @vnravikumar can you please help

Re: need to help to extract few fields

jkat54 — Sat, 09 May 2020 10:35:55 GMT

What search have you tried and what questions do you have about the work you've attempted?

No one wants to do your job for you, but we'd all love to help you if you've got a specific problem.

Re: need to help to extract few fields

pench2k19 — Wed, 30 Sep 2020 05:23:44 GMT

@jkat54 i have tried the followin in props.conf and try create fields using that

[pench_test]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SEDCMD = y/:/=/
category = Custom
pulldown_type = true
sedcmd = y/:/=/

But its not creating most of the necessery fields to write the SPL query and seeking help.

Re: need to help to extract few fields

pench2k19 — Mon, 11 May 2020 14:50:52 GMT

attaching image for your reference

Re: need to help to extract few fields

robinettdonWY — Mon, 11 May 2020 15:13:07 GMT

Have you tried using regex to capture and the extract the fields you need? |rex field=_raw "regex with capture groups goes here"
Or you can go to Settings>Fields>Field Extractions and create a new fields there by extracting what you need.

Re: need to help to extract few fields

to4kawa — Mon, 11 May 2020 21:02:38 GMT

use code sample and check your sample before ask the question.

your log is wrong and some missing string.(where is [ vs ,JVM_memor] ? )