Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction, message separated by spaces

christinaef07
Loves-to-Learn Everything
‎12-07-2020 08:52 AM

Hi everyone, I need some help with extracting the field 'message' from my logs coming to splunk. Right now, I am able to see this field coming in as :

message=job py process completed successfully

 When I extract this field, message, only 'job' is coming through. I am assuming this is because splunk can only read the first word, since they are all being seperated by spaces. Any way that I can fix this through Splunk or is this something I need to fix when formatting my logs through my application code? 

Labels (1)
Labels
0 Karma
Reply

493669
Super Champion
‎12-07-2020 09:13 AM

@christinaef07 you can use below regex to extract whole string in message . below regex will extract everything after `message=` in message field.

...|rex "message(?<message>.*)"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...