Solved: I only want two field to view

furkanern · ‎07-05-2021

Hello everyone . I'm a new user in splunk and I have a problem .I have a log document that sent by anywhere and there are too fields in this document. Type of file is Json and most of fields are useless.For example the fields like brand,file path ,device are useless and I want to hide this fields and I just want to view the fields named "Stack Trace" and date.How can I do this? If you help me ı would be grateful

ITWhisperer · ‎07-05-2021

| rex "(?<time>\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d+)\s(?<data>.*)"
| spath input=data path=STACK_TRACE output=stacktrace
| table time stacktrace

View solution in original post

gcusello · ‎07-05-2021

Hi @furkanern,

are you speaking of field hiding in search visualization or in indexing?

if you'r speaking of index only the two fields, you have to modify the json at index time using SEDCMD command in props.conf (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Anonymizedata#Replace_strings_in_events_with...).

In few words, you have to find a regex that takes only the two fields and discard all the other contents of the events, contents that obviously you cannot use more!

If you need help to find this regex, you should share some sample of your logs.

If instead you're speaking of display only two fields in a dashboard panel, it's easier, you have to extract the two fields using a regex or the spath command and then to use tha table command to display only the two fields, usually it isn't necessary to display the row data, but only the needed fields.

ciao.

Giuseppe

furkanern · ‎07-05-2021

Thank you for an answer. Now I have a picture for you. It's about the json log record one. All record are same style like this . I mean all records have parameter like device , brand , product etc... records must only contain Stack trace and date info.Other parts are unneccessrary for analysis How can I do this?By the way sorry for my English

gcusello · ‎07-05-2021

Hi @furkanern,

as I said, do you want to define between:

indexing only a part of your events containing only the two fields,
indexing the full event and display only two fields?

With the first solution you discard all the other information but you consume less Splunk license.

With the second solution, you consume more Splunk license than the other, but you're open to use also the other information in the event.

Which one?

If you want the first one, you have to find a regex to extract only the two interesting fields and discard the other; I can help you in regex creating, but you should share some log sample (not images, text using the Insert/Edit Code Sample Button!).

If instead you want the second, you can use the solution of @ITWhisperer that (as always!) is perfect.

Ciao.

Giuseppe

furkanern · ‎07-05-2021

I want second

ITWhisperer · ‎07-05-2021

Please copy and paste the event data into a code block so we can validate any solution we propose. If you can't do that, then try using spath to extract all the JSON fields, then use the name of the field you want to refine the spath to a particular field.

furkanern · ‎07-05-2021

2021-06-01 00:00:05.3330 {"REPORT_ID":"73cd0211-d625-4e62-8ba6-bc6091ad3d83","APP_VERSION_CODE":1,"APP_VERSION_NAME":"3.69","PACKAGE_NAME":"tr.gov.iski.ortaksayacokuma","FILE_PATH":"\/data\/user\/0\/tr.gov.iski.ortaksayacokuma\/files","PHONE_MODEL":"Venus V6","BRAND":"Vestel","PRODUCT":"Samos","ANDROID_VERSION":"8.1.0","BUILD":{"BOARD":"msm8953","BOOTLOADER":"unknown","BRAND":"Vestel","CPU_ABI":"arm64-v8a","CPU_ABI2":"","DEVICE":"Samos","DISPLAY":"VS1200 release-keys","FINGERPRINT":"Vestel\/Samos\/Samos:8.1.0\/VS1200\/103813:user\/release-keys","HARDWARE":"qcom","HOST":"mo-bee","ID":"VS1200","IS_CONTAINER":false,"IS_DEBUGGABLE":false,"IS_EMULATOR":false,"IS_ENG":false,"IS_TREBLE_ENABLED":true,"IS_USER":true,"IS_USERDEBUG":false,"MANUFACTURER":"Vestel","MODEL":"Venus V6","PERMISSIONS_REVIEW_REQUIRED":false,"PRODUCT":"Samos","RADIO":"unknown","SERIAL":"2816021918001552","SUPPORTED_32_BIT_ABIS":["armeabi-v7a","armeabi"],"SUPPORTED_64_BIT_ABIS":["arm64-v8a"],"SUPPORTED_ABIS":["arm64-v8a","armeabi-v7a","armeabi"],"TAGS":"release-keys","TIME":1571816293000,"TYPE":"user","UNKNOWN":"unknown","USER":"buildslave","VERSION":{"ACTIVE_CODENAMES":[],"BASE_OS":"","CODENAME":"REL","INCREMENTAL":"103813","PREVIEW_SDK_INT":0,"RELEASE":"8.1.0","RESOURCES_SDK_INT":27,"SDK":"27","SDK_INT":27,"SECURITY_PATCH":"2019-09-01"}},"TOTAL_MEM_SIZE":23112617984,"AVAILABLE_MEM_SIZE":19286974464,"BUILD_CONFIG":{"APPLICATION_ID":"org.acra","BUILD_TYPE":"release","DEBUG":false,"FLAVOR":"","VERSION_CODE":-1,"VERSION_NAME":"5.4.0"},"CUSTOM_DATA":{},"IS_SILENT":false,"STACK_TRACE":"java.lang.IllegalArgumentException: View=DecorView@80ad74f[] not attached to window manager\n\tat android.view.WindowManagerGlobal.findViewLocked(WindowManagerGlobal.java:485)\n\tat android.view.WindowManagerGlobal.removeView(WindowManagerGlobal.java:394)\n\tat android.view.WindowManagerImpl.removeViewImmediate(WindowManagerImpl.java:126)\n\tat android.app.Dialog.dismissDialog(Dialog.java:371)\n\tat android.app.Dialog.dismiss(Dialog.java:354)\n\tat tr.gov.iski.ortaksayacokuma.BaseActivity$1.onReceive(BaseActivity.java:29)\n\tat android.support.v4.content.LocalBroadcastManager.executePendingBroadcasts(LocalBroadcastManager.java:12)\n\tat android.support.v4.content.LocalBroadcastManager.access$000(LocalBroadcastManager.java:1)\n\tat android.support.v4.content.LocalBroadcastManager$1.handleMessage(LocalBroadcastManager.java:3)\n\tat android.os.Handler.dispatchMessage(Handler.java:106)\n\tat android.os.Looper.loop(Looper.java:164)\n\tat android.app.ActivityThread.main(ActivityThread.java:6518)\n\tat java.lang.reflect.Method.invoke(Native Method)\n\tat com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)\n\tat com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)\n","INITIAL_CONFIGURATION":{"appBounds":"Rect(0, 0 - 720, 1358)","assetsSeq":0,"colorMode":5,"compatScreenHeightDp":584,"compatScreenWidthDp":319,"compatSmallestScreenWidthDp":320,"densityDpi":272,"fontScale":1.15,"hardKeyboardHidden":2,"keyboard":"KEYBOARD_NOKEYS","keyboardHidden":1,"locale":"tr_TR","mcc":286,"mnc":1,"navigation":1,"navigationHidden":2,"orientation":1,"screenHeightDp":774,"screenLayout":"SCREENLAYOUT_SIZE_NORMAL+SCREENLAYOUT_LONG_YES+SCREENLAYOUT_LAYOUTDIR_LTR+SCREENLAYOUT_ROUND_NO","screenWidthDp":423,"seq":10,"smallestScreenWidthDp":423,"touchscreen":"TOUCHSCREEN_FINGER","uiMode":"UI_MODE_TYPE_NORMAL+UI_MODE_NIGHT_NO","userSetLocale":false},"CRASH_CONFIGURATION":{"appBounds":"Rect(0, 0 - 720, 1358)","assetsSeq":0,"colorMode":5,"compatScreenHeightDp":584,"compatScreenWidthDp":319,"compatSmallestScreenWidthDp":320,"densityDpi":272,"fontScale":1.15,"hardKeyboardHidden":2,"keyboard":"KEYBOARD_NOKEYS","keyboardHidden":1,"locale":"tr_TR","mcc":286,"mnc":1,"navigation":1,"navigationHidden":2,"orientation":1,"screenHeightDp":774,"screenLayout":"SCREENLAYOUT_SIZE_NORMAL+SCREENLAYOUT_LONG_YES+SCREENLAYOUT_LAYOUTDIR_LTR+SCREENLAYOUT_ROUND_NO","screenWidthDp":423,"seq":10,"smallestScreenWidthDp":423,"touchscreen":"TOUCHSCREEN_FINGER","uiMode":"UI_MODE_TYPE_NORMAL+UI_MODE_NIGHT_NO","userSetLocale":false},"DISPLAY":{"0":{"currentSizeRange":{"smallest":[720,679],"largest":[1358,1317]},"flags":"FLAG_SUPPORTS_PROTECTED_BUFFERS+FLAG_SECURE","metrics":{"density":1.7000000476837158,"densityDpi":272,"scaledDensity":"x1.7","widthPixels":720,"heightPixels":1358,"xdpi":281.3529968261719,"ydpi":281.3529968261719},"realMetrics":{"density":1.7000000476837158,"densityDpi":272,"scaledDensity":"x1.7","widthPixels":720,"heightPixels":1440,"xdpi":281.3529968261719,"ydpi":281.3529968261719},"name":"Yerleşik Ekran","realSize":[720,1440],"rectSize":[0,0,720,1358],"size":[720,1358],"rotation":"ROTATION_0","isValid":true,"orientation":0,"refreshRate":60.000003814697266,"height":1358,"width":720,"pixelFormat":1}},"USER_COMMENT":null,"USER_EMAIL":"N\/A","USER_APP_START_DATE":"2021-05-31T23:02:02.795+03:00","USER_CRASH_DATE":"2021-06-01T00:00:05.278+03:00","DUMPSYS_MEMINFO":"","LOGCAT":"06-01 00:00:04.711 I\/okhttp.OkHttpClient( 3196): Content-Length: 0\n06-01 00:00:04.712 I\/okhttp.OkHttpClient( 3196): --> END POST (0-byte body)\n06-01 00:00:04.764 I\/okhttp.OkHttpClient( 3196): <-- 200 OK http:\/\/172.16.220.32\/wsSayacOkuma\/api\/OkumaVerileri (381ms)\n06-01 00:00:04.764 I\/okhttp.OkHttpClient( 3196): Cache-Control: no-cache\n06-01 00:00:04.764 I\/okhttp.OkHttpClient( 3196): Pragma: no-cache\n06-01 00:00:04.764 I\/okhttp.OkHttpClient( 3196): Content-Type: application\/json; charset=utf-8\n06-01 00:00:04.764 I\/okhttp.OkHttpClient( 3196): Expires: -1\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): Server: Microsoft-IIS\/10.0\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): X-AspNet-Version: 4.0.30319\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): X-Powered-By: ASP.NET\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): Date: Mon, 31 May 2021 21:00:04 GMT\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): Content-Length: 342\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): {\"pOut\":{\"Kod\":\"999\",\"Mesaj\":\"Başarılı\"},\"sistemTarihi\":{\"pOut\":{\"Kod\":\"999\",\"Mesaj\":\"Başarılı\"},\"sistemSaati\":\"00:00\",\"sistemTarihi\":\"01.06.2021\"},\"aciklama\":\"Okuma:122 İhbar:7 \/ Süre:0,1844033\",\"indirmeAdresi\":\"http:\/\/172.16.220.25\/wsSayacOkuma\/sayac_okuma_datalari\/210601\/2053\/000004148.zip\",\"mukaveleAdedi\":\"122\",\"ihbarAdedi\":\"7\"}\n06-01 00:00:04.765 I\/okhttp.OkHttpClient( 3196): <-- END HTTP (342-byte body)\n06-01 00:00:04.789 I\/okhttp.OkHttpClient( 3196): <-- 200 OK http:\/\/172.16.220.32\/wsSayacOkuma\/api\/Uygulama (77ms)\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Cache-Control: no-cache\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Pragma: no-cache\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Content-Type: application\/json; charset=utf-8\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Expires: -1\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Server: Microsoft-IIS\/10.0\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): X-AspNet-Version: 4.0.30319\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): X-Powered-By: ASP.NET\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Date: Mon, 31 May 2021 21:00:04 GMT\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): Content-Length: 247\n06-01 00:00:04.790 I\/okhttp.OkHttpClient( 3196): {\"pOut\":{\"Kod\":\"999\",\"Mesaj\":\"Versiyon bilgisi alındı.\"},\"Versiyon\":\"3.69\",\"IndirmeAdresi\":\"http:\/\/172.16.220.25\/apk\/3.69\/sayacokuma.apk\",\"Aciklama\":\"\\n<p>Versiyon 3.69 - 19.05.2021<\/p>\\n*İski fotoğraf isteme zorunluluğu kaldırıldı<br>\\n\"}\n06-01 00:00:04.791 I\/okhttp.OkHttpClient( 3196): <-- END HTTP (247-byte body)\n06-01 00:00:04.961 I\/AssistStructure( 3196): Flattened final assist data: 2240 bytes, containing 1 windows, 7 views\n06-01 00:00:04.983 W\/System.err( 3196): java.io.FileNotFoundException: \/storage\/emulated\/0\/Android\/data\/tr.gov.iski.ortaksayacokuma\/Download\/20210601.sqlite3 (No such file or directory)\n06-01 00:00:04.983 W\/System.err( 3196): \tat java.io.FileInputStream.open0(Native Method)\n06-01 00:00:04.983 W\/System.err( 3196): \tat java.io.FileInputStream.open(FileInputStream.java:200)\n06-01 00:00:04.983 W\/System.err( 3196): \tat java.io.FileInputStream.<init>(FileInputStream.java:150)\n06-01 00:00:04.983 W\/System.err( 3196): \tat tr.gov.iski.helpers.FileHelper.copy(FileHelper.java:1)\n06-01 00:00:04.983 W\/System.err( 3196): \tat tr.gov.iski.services.DownloadService.initDownload(DownloadService.java:6)\n06-01 00:00:04.983 W\/System.err( 3196): \tat tr.gov.iski.services.DownloadService.onHandleIntent(DownloadService.java:8)\n06-01 00:00:04.984 W\/System.err( 3196): \tat android.app.IntentService$ServiceHandler.handleMessage(IntentService.java:76)\n06-01 00:00:04.984 W\/System.err( 3196): \tat android.os.Handler.dispatchMessage(Handler.java:106)\n06-01 00:00:04.984 W\/System.err( 3196): \tat android.os.Looper.loop(Looper.java:164)\n06-01 00:00:04.984 W\/System.err( 3196): \tat android.os.HandlerThread.run(HandlerThread.java:65)\n06-01 00:00:05.185 E\/WindowManager( 3196): \n06-01 00:00:05.185 E\/WindowManager( 3196): android.view.WindowLeaked: Activity tr.gov.iski.ortaksayacokuma.OperationsActivity has leaked window DecorView@80ad74f[] that was originally added here\n06-01 00:00:05.185 E\/WindowManager( 3196): \tat android.view.ViewRootImpl.<init>(ViewRootImpl.java:489)\n06-01 00:00:05.185 E\/WindowManager( 3196): \tat android.view.WindowManagerGlobal.addView(WindowManagerGlobal.java:346)\n06-01 00:00:05.185 E\/WindowManager( 3196): \tat android.view.WindowManagerImpl.addView(WindowManagerImpl.java:94)\n06-01 00:00:05.185 E\/WindowManager( 3196): \tat android.app.Dialog.show(Dialog.java:330)\n06-01 00:00:05.185 E\/WindowManager( 3196): \tat tr.gov.iski.network.OkumaVerileriController.<init>(OkumaVerileriController.java:2)\n06-01 00:00:05.185 E\/WindowManager( 3196): \tat tr.gov.iski.ortaksayacokuma.OperationsActivity.downloadContent
meta = truncated

ITWhisperer · ‎07-05-2021

| rex "(?<time>\d{4}-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d+)\s(?<data>.*)"
| spath input=data path=STACK_TRACE output=stacktrace
| table time stacktrace

furkanern · ‎07-05-2021

It was the thing what I searched .Thank you for answer.

furkanern · ‎07-05-2021

Like I said, only date and stack trace are significant and worth anaylsing .I don't want the other fields

ITWhisperer · ‎07-05-2021

| spath path="STACK_TRACE" output="StackTrace"

The path may not be correct, but it is a little difficult to tell from the image. If you could share the event in a code block </> that would help.

I only want two field to view

summary indexing

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life