I have a JSON response now, and, from that, i want to create a table that will have all Unique Error Codes, Messages and Count . I am not able to read the JSON message in Splunk. How can we do this in Splunk? Below is one sample JSON response which i have
level: DEBUG
line: 43
logger: ErrorUtils
message: Error: {"ErrorCode":"201","Message":"Invalid User"}
I have created a query just to read the eventtype. i am not sure how i can proceed further on this.
eventtype="myevent"
Assuming your json is properly formatted, try setting KV_Mode=json in your props.conf file against that sourcetype. It should automatically extract the field values from the json events.
You can read more about it here:
https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
Let me know if that helps.
Can you share your whole JSON event?