Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create seperate field from Message

Emre
Loves-to-Learn Lots
‎06-18-2025 01:41 AM

Good day everyone, ia m new to Splunk and i need some suggestions. 
We are sending our Mendix logs to SplunkCloud, but our logs are sent to Splunk as a single event. 
Is that possible for me to extract the fields from the message part? Example
Module:SplunkTest
Microflow: ACT_Omnext_Create
latesteror_message:Access denied..
http status: 401
Http reasonphrase Access denied...Splunk.jpg
Or is this data should be structured from Mendix and send to Splunk?
Thanks for any suggestion.

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-18-2025 04:53 AM

Hi @Emre 

Try the following:

| eval message=json_extract(_raw,"message") 
| spath input=message

livehybrid_0-1750247590280.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2025 02:16 AM

Hi @Emre ,

you should create some field extractions using regexes from the message field.

If you can share a sample of your data in text format (not screenshot), we can help you.

Ciao.

Giuseppe

0 Karma
Reply

Emre
Loves-to-Learn Lots
‎06-18-2025 02:51 AM

@gcusello Here you are, i hope it works. 

This is the Message:

{"Module": SplunkTest""Microflow": ACT_Omnext_Create_Test""latesterror_message": "401: Access Denied   at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)') Advanced stacktrace:"http_status": "401"http_response_content": "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }"http_reasonphrase": "Access Denied"session_id": "912651c4-127f-4f02-a348-c79373e84444}

 

What i want is 

app:

application_name:

env:

environment_id:

hostname:

instance index

level: ERROR 

Module: SplunkTest

Microflow:ACT_Omnext_Create_Test

latesterror_message: 401: Access Denied at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)')

http_status: 401

http_response_content: "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }

http_reasonphrase: Access Denied

session_id: "1111111-127f-4f02-a348-c79373e86a5d}

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2025 04:05 AM

Hi @Emre ,

beware because this seems to be a json file, and the raw text is different than the one you display (there are backslashes before each quotes),

Then I suppose that you missed some quotes copying the text because there are not closed quotes.

then, please put this text using the Insert/Edit Code Sample button "</>"

Ciao.

Giuseppe

 

0 Karma
Reply

PrewinThomas
Motivator
‎06-18-2025 01:50 AM

@Emre 
You can use Splunk’s Field Extractions (props/transforms) or rex in your SPL to extract fields at search time
For Eg:
| rex field=_raw "Module:(?<Module>[^\n]+)"
| rex field=_raw "Microflow:\s*(?<Microflow>[^\n]+)"
| rex field=_raw "latesteror_message:(?<latesteror_message>[^\n]+)"
| rex field=_raw "http status:\s*(?<http_status>\d+)"
| rex field=_raw "Http reasonphrase\s*(?<Http_reasonphrase>[^\n]+)"

But best practice is to structure the data at source itself.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...