Hello,
I am trying to display at search time only the content of the "log" field - where the application data is.
I am using the stanza below on the SH
cheers,
[source::http:k8s_test]
KV_MODE = json
EVAL-_raw = log
_raw event
{ [-]
K8Cluster: k8s-cluster-aa-bb-01
docker: { [-]
container_id: 919d689b4ee5aa0ac2ad7ac3333557b4bb7471da313ac9c7e6cbfc9c9e925e8a
}
kubernetes: { [+]
}
log: [2020/02/28 16:40:41] [error] [out_fw] no upstream connections available
stream: stderr
}
output
[2020/02/28 16:30:18] [error] [out_fw] no upstream connections available
[2020/02/28 16:30:18] [error] [out_fw] no upstream connections available
_raw
is default indexed event field.
EVAL - _raw = log
does not replace indexed event.
| makeresults
| eval _raw="{
K8Cluster: k8s-cluster-aa-bb-01
docker: { [-]
container_id: 919d689b4ee5aa0ac2ad7ac3333557b4bb7471da313ac9c7e6cbfc9c9e925e8a
}
kubernetes: { [+]
}
log: [2020/02/28 16:40:41] [error] [out_fw] no upstream connections available
stream: stderr
} "
| rex mode=sed "s/(?s).*(log\:.+?) stream.*/\1/"
As this result,
props.conf
SEDCMD - log = s/(?s).*(log\:.+?) stream.*/\1/
but this depends on your LINE_BREAKER.
following your example I have tried with the format below, but somehow it interprets the string between square brackets as splunk command
| makeresults
| eval _raw="{"log":"[2020/02/28 18:38:00] [error] [out_fw] no upstream connections available","stream":"stderr","docker":{"container_id":"736f7b10a0bda6b97267d8f51e9a8c1fbf8f8f41edea0f3d79b174b7dc5f48cb"},"kubernetes":{"container_name":"billing","namespace_name":"pks-system","pod_name":"telemetry-agent-77f797c749-qj9rv","container_image":"pkstelemetrybot/telemetry-agent:latest","container_image_id":"docker://sha256:c9dbff3df8b19ee2b91df08982cbdb0047bd8e0d830acba73e03959db80c6928","pod_id":"dbbeee1f-63a4-4b03-a74b-0a53b5db44e8","labels":{"app":"telemetry-agent","pod-template-hash":"77f797c749"},"host":"77141ae5-920f-4f65-bd0a-ba78a85c157d","master_url":"https://10.111.192.1:443/api","namespace_id":"6e78cc1d-b345-44c3-b8e3-5c1af076afc5"},"K8Cluster":"k8s-cluster-test-kr-01"}"
| rex mode=sed "s/\{("log"\:\".+?)\","stream.*/\1/"
| makeresults
| eval _raw="{\"log\":\"[2020/02/28 18:38:00] [error] [out_fw] no upstream connections available\",\"stream\":\"stderr\",\"docker\":{\"container_id\":\"736f7b10a0bda6b97267d8f51e9a8c1fbf8f8f41edea0f3d79b174b7dc5f48cb\"},\"kubernetes\":{\"container_name\":\"billing\",\"namespace_name\":\"pks-system\",\"pod_name\":\"telemetry-agent-77f797c749-qj9rv\",\"container_image\":\"pkstelemetrybot/telemetry-agent:latest\",\"container_image_id\":\"docker://sha256:c9dbff3df8b19ee2b91df08982cbdb0047bd8e0d830acba73e03959db80c6928\",\"pod_id\":\"dbbeee1f-63a4-4b03-a74b-0a53b5db44e8\",\"labels\":{\"app\":\"telemetry-agent\",\"pod-template-hash\":\"77f797c749\"},\"host\":\"77141ae5-920f-4f65-bd0a-ba78a85c157d\",\"master_url\":\"https://10.111.192.1:443/api\",\"namespace_id\":\"6e78cc1d-b345-44c3-b8e3-5c1af076afc5\"},\"K8Cluster\":\"k8s-cluster-test-kr-01\"}"
| rex mode=sed "s/\{(\"log\"\:\".+?),.*/\1/"
JSON has many ""
. press ⌘(OR Ctrl)+F *2 and convert "
to \"
i did manage to fix it with
EVAL-_raw = replace(_raw, "^\{\"log\"\:\"(.+?)\",\"stream.*", "\1")
looks like SEDCMD works only at index time, I was operating at search time level
SEDCMD- =
* Only used at index time.
Why not just do a | table fields _time log
?
If you look at the raw events in search and expand a single event using the ">" under the "i" column (next to Time), do you see duplicate values for each of the fields? If so, that's a different problem, usually caused by both INDEXED_FIELDS = json
enabled on the HF/indexer as well as KV_MODE = json
being configured on the search head, which results in duplicate values in the JSON field extractions.
I would like to do this transparently for the user, without piped commands
the events come via HEC, and when I remove the EVAL-_raw = log line everything is displayed correctly in json format; I want to display only the content of the "log" field
INDEXED_EXTRACTIONS is not set, and removing KV_MODE on the SH doesn't get rid of the additional line
looks like EVAL doubles the values of all fields (excepting the default ones), not only log