Re: Key Extract from data

deepak1037 · ‎06-30-2020

I have following logs

2020-06-30 17:58:28,307; thread=[workflow-503]; LogLevel=INFO; class=a.b.c.getData; milestone_end; id=asddd_ddd_ddd0, key1=193514641285449, tid=60d06-26c3-4281-8600-79338c6, flow=MessageMatching, RecordsCount=0, appId=appid1; msg=PerfStat-Repository: solrQuery={“q”:”a_id:193514641285449 AND (status:TO_BE_REVIEWED AND transaction_source:(SOURCE_A) AND amount:\\-80.00) AND -(deleted:true) AND -(is_primary:false)","start":"0","route.partition":["193514641285449"],"timeAllowed":10000}; recordCount=0; elapsedTime=3;;

Here we have solrQuery of the form {"q":"key1:value1 AND key2:value2 AND (key3:value3)};

I want to extract only key in the format key1,key2,key3

richgalloway · ‎06-30-2020

To clarify, you want to extract "a_id", "status", "transaction_source", "amount", "deleted", "is_primary", "start", "route.partition". and "timeAllowed" as fields, correct?
Is the solrQuery field already extracted?
Do you want the keys extracted at index time or search time?

---
If this reply helps you, Karma would be appreciated.

deepak1037 · ‎06-30-2020

To clarify, you want to extract "a_id", "status", "transaction_source", "amount", "deleted", "is_primary", "start", "route.partition". and "timeAllowed" as fields, correct?: Yes

Is the solrQuery field already extracted? No

Do you want the keys extracted at index time or search time? Didn't get that

Key Extract from data

source

sourcetype

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...