Split not working

amitg_23 · ‎08-08-2019

I have following data after this query:

index=sdlocp_epo-solutiontest sourcetype="kube:container:customer-soap-app" | spath | search level="SERVICE_PERF" | table message

|2800|BackOffice|T999999||Servcie1|8b81dbd0-ba0f-11e9-8912-914decccd432|Success|67|NA|NA|NA
|2800|BackOffice|T999999||Servcie1|8b81dbd0-ba0f-11e9-8912-914decccd432|Success|67|NA|NA|NA
|2800|BackOffice|T999999||Servcie1|8b81dbd0-ba0f-11e9-8912-914decccd432|Success|67|NA|NA|NA
|2800|BackOffice|T999999||Servcie2|8b81dbd0-ba0f-11e9-8912-914decccd432|Success|16|NA|NA|NA
|2800|BackOffice|T999999||Servcie2|8b81dbd0-ba0f-11e9-8912-914decccd432|Success|16|NA|NA|NA
|2800|BackOffice|T999999||Servcie2|8b81dbd0-ba0f-11e9-8912-914decccd432|Success|16|NA|NA|NA

I then run the following query:

It fails.

When I run it with _raw instead of message in split, it works. Why is that so?

I am using logs in JSON format.

Thanks in advance.

amitg_23 · ‎08-08-2019

mayurr98 · ‎08-08-2019

I am not sure why its not working because the syntax looks perfect. Do you get any error?

Well you could use rex to get the desired result.

index=sdlocp_epo-solutiontest sourcetype="kube:container:customer-soap-app"
| spath 
| search level="SERVICE_PERF" 
| table message 
| rex field=message "\|\w+\|(?<etime>\d+)\|"
| table etime

let me know if this helps!

Split not working

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)