topic Hi Team , I need Field extraction of status Error and INFO status in logs . in Splunk Search

Hi Team , I need Field extraction of status Error and INFO status in logs .

Hemant1 — Wed, 02 Dec 2020 13:51:57 GMT

ERROR [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000MM1K) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:07s:499ms. There were errors during the synchronization!

INFO [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000ML9S) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:17s:091ms. No errors.

Re: Hi Team , I need Field extraction of status Error and INFO status in logs .

ITWhisperer — Wed, 02 Dec 2020 13:58:34 GMT

Which parts of these events do you want?

Re: Hi Team , I need Field extraction of status Error and INFO status in logs .

daisy_st — Wed, 02 Dec 2020 22:25:44 GMT

hi, this is a simple extraction. Do events always start with the status? If yes, it will look something like:
| rex field=_raw "(?<status>^\w+)"

You can use regex101.com to fine tune the regex if it is not working.

Re: Hi Team , I need Field extraction of status Error and INFO status in logs .

Hemant1 — Thu, 03 Dec 2020 05:58:38 GMT

i need to extract INFO and Error part

Re: Hi Team , I need Field extraction of status Error and INFO status in logs .

ITWhisperer — Thu, 03 Dec 2020 09:49:11 GMT

What is wrong with what @daisy_st suggested?

One reason it might not be working is that the information you provided is not your actual raw event. If that is the case, please provide some real examples.

Another possibility is that you are not looking for search time / SPL extraction but you want to know how to extract this at indexing time. Please can you clarify?