Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any possibility to split the value from the message field, like teamName, ID as a different field?

JGP
Explorer
‎04-04-2023 12:58 AM

is there any possibility to split the value from the message field, like teamName, ID as a different field.

Untitled.png

Labels (1)
Labels
0 Karma
Reply

JGP
Explorer
‎04-10-2023 09:17 PM

any recommendations? we need those extracted fields to be come under the event details same like below message , namespace_id , namespace_name , .....?

0 Karma
Reply

yeahnah
Motivator
‎04-10-2023 09:42 PM

Hi @JGP 

It's a little ugly but since the message field looks to be valid JSON, you could do this...

 

...
  ``` backup event then rename message field to _raw ```
| eval raw=_raw | rename message AS _raw  
| extract    ``` extract the json from _raw - n.b. it only works on _raw field ```
  ``` rename _raw back to message, reset _raw event back to original and remove copy ```
| rename _raw AS message | eval _raw=raw | fields - raw

 

Not sure how well it scales on big data sets.

Anyway, hope it helps

0 Karma
Reply

JGP
Explorer
‎04-06-2023 10:37 PM

by any chance if we extract field "teamName", "ID " with the rex command can come under the event that pasted in the original post just like under message , namespace_id , namespace_name , .....?

0 Karma
Reply

JGP
Explorer
‎04-04-2023 02:09 AM

where to find the button?

sample event for ref.

appid: 111111
cluster: abcdefgh
container_id: c44444444444444444444455555555555566666
container_image: docker-dev-local.artifactrepository.**************.net/*********-project-111111/********************:master-55-c3444444
container_image_id: docker-dev-local.artifactrepository.********.net/*********-project-111111/******@s*************************
container_name: ecs-***************
environment: dev
hosting_env: *******
hostname: app-14.********.ecs.*******
level: debug
log_type: app_containers
logroute: *******************
message: {"timestamp":"2023-03-30T12:29:51.684Z","msg":"REQUEST DATA : GET /generic/healthcheck, client=1.1.1.1]","logClass":"org.springframework.web.filter.CommonsRequestLoggingFilter","threadID":"http-nio-9099-exec-9","logLevel":"DEBUG","ID":"111111","teamName":"SL"}
namespace_id: 00000000000000000000000000000
namespace_name: ************************
openshift: { [+]
}
ose_workload: dev
pod_id: 1111111111111111111111111
pod_ip: 11.11.11.111
pod_name: **********************
sector: *******
timestamp: 2023-03-30T12:29:51.684743385+00:00

0 Karma
Reply

Icecream123
Explorer
‎04-04-2023 02:41 AM

Hi,

You can try to perform regex on the field to get the required values from the field. The below if a sample regex to extract the loglevel or teamName or ID. (need to optimize further accordingly.)

|rex field=_raw ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>\S*)","teamName":"(?<teamname>\w*)"

 If the message field is already extracted you can try:

|rex field=message ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>111111)","teamName":"(?<teamname>\w*)"

 

Hope this is what you are looking to do!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 01:53 AM 
| spath message
| spath input=message
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2023 01:01 AM

Hi @JGP,

yes it's possible but I need a sample of the event in text format, not screenshot, highlighting the fields to extract.

Put the samples using "Insert Edit Code Sample" button.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...