Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The "level" field is being automatically added by splunk, how to we ask splunk to extract log level from my json message ?

kishoresanke
New Member
‎01-08-2018 08:26 PM

The "level" field is being automatically added by splunk, how to we ask splunk to extract log level from my json message ?

alt text

Preview file
229 KB
0 Karma
Reply

micahkemp
Champion
‎01-10-2018 08:42 AM

Actually I think you can do this. The previous answer's explanation is valid, but using it you can do this:

props.conf:

[<sourcetype>]
SHOULD_LINEMERGE = false
REPORT-embedded_message = embedded_message
KV_MODE = json

props.conf:

[embedded_message]
SOURCE_KEY = message
REGEX = "(?<_KEY_1>[^:]+)":\s*"(?<_VAL_1>.*?)"

In action:

alt text

0 Karma
Reply

kishoresanke
New Member
‎01-10-2018 07:02 PM

Thanks a lot again for a detailed answer. I will try this today . quick question - why do we have both KV_MODE = none as well as KV_MODE = json in the sourcetype section ?

0 Karma
Reply

micahkemp
Champion
‎01-10-2018 07:08 PM

Artifact of previous attempt. 🙂 WIll fix in answer.

0 Karma
Reply

micahkemp
Champion
‎01-09-2018 08:07 PM

The reason splunk isn't automatically extracting this out is (probably) because the message field is JSON embedded in other JSON, as opposed to a sub-structure of the same JSON. I'm willing to bet the message field contains escaped quotes if you view the raw event. Here's a run-anywhere example of what I mean:

| makeresults | eval _raw="{\"message\": \"{\\\"level\\\": \\\"0\\\"}\"}" | spath

Gives a sample _raw of:

{"message": "{\"level\": \"0\"}"}

And a message value of:

{"level": "0"}

Which you could run spath against and get the results you want:

| makeresults | eval _raw="{\"message\": \"{\\\"level\\\": \\\"0\\\"}\"}" | spath | spath input=message

If the message field was part of the actual JSON structure (instead of JSON embedded in other JSON), _raw would look more like this:

{"message": {"level": "0"}}

Which would parse properly into message.level. The run-anywhere search to show this in action is:

| makeresults | eval _raw="{\"message\": {\"level\": \"0\"}}" | spath

So how do you make this "just work" without having to run a separate spath each time you search? I don't think there is a way. Even if you knew that you only cared about the message field and nothing else and you used SEDCMD to rewrite _raw when you index the data, it would still contain escaped quotes that are going to prevent JSON parsing from being successful.

0 Karma
Reply

kishoresanke
New Member
‎01-10-2018 12:40 AM

Thanks for detailed explanation. But what bugs me is, the "req_id" field is also escaped within the message field, but somehow splunk has automatically extracted this out. Then why not the "level" ?

0 Karma
Reply

harsmarvania57
Ultra Champion
‎01-09-2018 07:38 AM

Are you able to see automatically extracted message.level field on left hand side? If yes then it will give you value INFO

0 Karma
Reply

kishoresanke
New Member
‎01-09-2018 07:55 PM

no, its not automatically extracted.

0 Karma
Reply

cmerriman
Super Champion
‎01-09-2018 05:00 AM

have you tried spath?
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/spath

0 Karma
Reply

kishoresanke
New Member
‎01-09-2018 06:20 AM

i did try spath, but wouldn't it be easier if splunk extracts the field automatically rather than i write spath command to extract the field everytime i want to search.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...