Re: Key Extract from data

deepak1037 · ‎06-30-2020

I have following logs

2020-06-30 17:58:28,307; thread=[workflow-503]; LogLevel=INFO; class=a.b.c.getData; milestone_end; id=asddd_ddd_ddd0, key1=193514641285449, tid=60d06-26c3-4281-8600-79338c6, flow=MessageMatching, RecordsCount=0, appId=appid1; msg=PerfStat-Repository: solrQuery={“q”:”a_id:193514641285449 AND (status:TO_BE_REVIEWED AND transaction_source:(SOURCE_A) AND amount:\\-80.00) AND -(deleted:true) AND -(is_primary:false)","start":"0","route.partition":["193514641285449"],"timeAllowed":10000}; recordCount=0; elapsedTime=3;;

Here we have solrQuery of the form {"q":"key1:value1 AND key2:value2 AND (key3:value3)};

I want to extract only key in the format key1,key2,key3

richgalloway · ‎06-30-2020

To clarify, you want to extract "a_id", "status", "transaction_source", "amount", "deleted", "is_primary", "start", "route.partition". and "timeAllowed" as fields, correct?
Is the solrQuery field already extracted?
Do you want the keys extracted at index time or search time?

---
If this reply helps you, Karma would be appreciated.

deepak1037 · ‎06-30-2020

To clarify, you want to extract "a_id", "status", "transaction_source", "amount", "deleted", "is_primary", "start", "route.partition". and "timeAllowed" as fields, correct?: Yes

Is the solrQuery field already extracted? No

Do you want the keys extracted at index time or search time? Didn't get that

Key Extract from data

source

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation