Re: Create seperate field from Message

Emre · ‎06-18-2025

Good day everyone, ia m new to Splunk and i need some suggestions.
We are sending our Mendix logs to SplunkCloud, but our logs are sent to Splunk as a single event.
Is that possible for me to extract the fields from the message part? Example
Module:SplunkTest
Microflow: ACT_Omnext_Create
latesteror_message:Access denied..
http status: 401
Http reasonphrase Access denied...
Or is this data should be structured from Mendix and send to Splunk?
Thanks for any suggestion.

livehybrid · ‎06-18-2025

Hi @Emre

Try the following:

| eval message=json_extract(_raw,"message") 
| spath input=message

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

gcusello · ‎06-18-2025

Hi @Emre ,

you should create some field extractions using regexes from the message field.

If you can share a sample of your data in text format (not screenshot), we can help you.

Ciao.

Giuseppe

Emre · ‎06-18-2025

@gcusello Here you are, i hope it works.

This is the Message:

{"Module": SplunkTest""Microflow": ACT_Omnext_Create_Test""latesterror_message": "401: Access Denied at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)') Advanced stacktrace:"http_status": "401"http_response_content": "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }"http_reasonphrase": "Access Denied"session_id": "912651c4-127f-4f02-a348-c79373e84444}

What i want is

app:

application_name:

env:

environment_id:

hostname:

instance index

level: ERROR

Module: SplunkTest

Microflow:ACT_Omnext_Create_Test

latesterror_message: 401: Access Denied at SplunkTest.ACT_Omnext_Create_TEST (CallRest : 'Call REST (POST)')

http_status: 401

http_response_content: "{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }

http_reasonphrase: Access Denied

session_id: "1111111-127f-4f02-a348-c79373e86a5d}

gcusello · ‎06-18-2025

Hi @Emre ,

beware because this seems to be a json file, and the raw text is different than the one you display (there are backslashes before each quotes),

Then I suppose that you missed some quotes copying the text because there are not closed quotes.

then, please put this text using the Insert/Edit Code Sample button "</>"

Ciao.

Giuseppe

PrewinThomas · ‎06-18-2025

@Emre
You can use Splunk’s Field Extractions (props/transforms) or rex in your SPL to extract fields at search time
For Eg:
| rex field=_raw "Module:(?<Module>[^\n]+)"
| rex field=_raw "Microflow:\s*(?<Microflow>[^\n]+)"
| rex field=_raw "latesteror_message:(?<latesteror_message>[^\n]+)"
| rex field=_raw "http status:\s*(?<http_status>\d+)"
| rex field=_raw "Http reasonphrase\s*(?<Http_reasonphrase>[^\n]+)"

But best practice is to structure the data at source itself.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Create seperate field from Message

other

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

Create seperate field from Message

other

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination