topic Re: Show a part of message for dasboard stats table in Splunk Search

Show a part of message for dasboard stats table

alwinaugustin — Thu, 30 Sep 2021 14:59:27 GMT

I have the following query and I am using it in a dashboard to show the errors categorized.

index=myindex sourcetype=mysource_type:app | spath message | regex message="^.*error creating account.*$$"|top message

Now, this is working, but it is showing the complete messages. The error messages have the following format most of the time:

message: Log: "error creating account {\"status\":\"error\",\"message\":\"Error while creating account, 500 - Internal Server Error\"}"

Now when the stats table is displayed. I would like to show only the message part from this error message, that is it only needs to show Error while creating an account, 500 - Internal Server Error. It will be very much helpful someone can point out how I can do this?

Re: Show a part of message for dasboard stats table

gcusello — Thu, 30 Sep 2021 15:23:08 GMT

Hi @alwinaugustin,

you can do this using the eval command.

So if your field is called message, you have to put in your search:

| eval message=if(like(message,"%Error while creating account, 500%"),"Error while creating an account, 500 - Internal Server Error.",message")

Ciao.

Giuseppe

Re: Show a part of message for dasboard stats table

ITWhisperer — Thu, 30 Sep 2021 20:49:08 GMT

| makeresults | eval _raw="message: Log: \"error creating account {\\\"status\\\":\\\"error\\\",\\\"message\\\":\\\"Error while creating account, 500 - Internal Server Error\\\"}\"" | rex "(?<json>\{[^\}]+\})" | eval json=replace(json,"\\\\","") | spath input=json path="message" output=message

Re: Show a part of message for dasboard stats table

PickleRick — Thu, 30 Sep 2021 21:42:13 GMT

You have at least two different methods of parsing out the message part.

1) (ITWhisperer already showed this solution) find the json part, "fix" it (remove backslashes escaping quotation marks), then use spath on the json data to get the message part.

<your_query> 
| rex "(?<json>\{.*\})" 
| eval json=replace(json,"\\\\\"","\"")
| spath input=json path=message

It should work but it's a bit... halfhearted because it uses the fact that you have a json structure but it makes too many assumptions about the format and contents of this json.

Therefore you have option

2) Just use a regex to parse out the message value

<your_search> 
| rex "\\\"message\\\":\\\"(?<message>.*)\\\"}\"$"

Quick and dirty but simple and effective. (I'm not sure whether the closing quote is a part of the event or is it just you quoting it. Adjust the regex accordingly if necessary.