Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch keywords from row logs

aditsss
Motivator
‎08-29-2023 08:15 AM

Hi Team,

I have below row logs:

CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]

I want to create one table like this

phrase                                                                                        status                     description

 CARS_HIERARCHY event published to ebnc                SUCCESS              "Event saved to database successfully.

can someone help me with query.

My current query:

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]"

            

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-29-2023 08:32 AM

Hi @aditsss,

this seems yo be a json format, did you tried to use the "INDEXED_EXTRACTIONS = json" in the props.conf aor the spath command in your search?

check if after this command you have all the fields you need:

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]"
| spath
| table something.phrase something.status something.description

Surely the fields to use in the following table command will have some prefixes that I cannot know, but that you can find in the interesting fields.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-29-2023 08:32 AM

Hi @aditsss,

this seems yo be a json format, did you tried to use the "INDEXED_EXTRACTIONS = json" in the props.conf aor the spath command in your search?

check if after this command you have all the fields you need:

index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "CarsDeltaHierarchyProcessor - CARS_HIERARCHY event published to ebnc: [{"status":"SUCCESS","description":"Event saved to database successfully."}]"
| spath
| table something.phrase something.status something.description

Surely the fields to use in the following table command will have some prefixes that I cannot know, but that you can find in the interesting fields.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 01:09 AM

Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...