Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract json from event if the event contains the string

karthi25
Path Finder
‎11-19-2019 04:43 AM

I have following events in splunk log

{ [-]
   log: {"@timestamp":"2019-11-18T16:02:16.080-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [20191118-160215~0.txt,  20191118-160215~0.txt.gz, ~20191118-160215~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T00:02:16.08107067Z
}
{ [-]
   log: {"@timestamp":"2019-11-19T04:06:07.008-08:00","@version":1,"message":"Processing Ended at 2019-11-19T04:06:07.008-08:00","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T12:06:07.008346529Z
}

{ [-]
   log: {"@timestamp":"2019-11-16T16:00:00.658-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191116-160000~0.txt,  20191116-160000~0.txt.gz,  20191116-160000~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-17T00:00:00.658656167Z
}

{ [-]
   log: {"@timestamp":"2019-11-15T16:00:00.565-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-16T00:00:00.566173395Z
}

Now, I want to extract message,app_name,level from the log only when the message contains the string "Files Succesfully Moved To S3 Bucket".
I already tried the following query:

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" | table APP_NAME,level,message

but it doesn't returns anything.

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎11-20-2019 03:46 PM

Try this:

 index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket"
| rename log AS _raw
| kv
| table APP_NAME,level,message
0 Karma
Reply

to4kawa
Ultra Champion
‎11-19-2019 05:22 PM 
| makeresults 
| eval _raw=" { 
    \"log\": {\"@timestamp\": \"2019-11-15T16:00:00.565-08:00\",
    \"@version\": 1,
    \"message\": \"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]\",
    \"logger_name\": \"FileGenerator\",
    \"thread_name\": \"scheduling-1\",
    \"level\": \"INFO\",
    \"level_value\": 20000,
    \"APP_NAME\": \"schedule\"},
    \"stream\": \"stdout\",
    \"time\": \"2019-11-16T00:00:00.566173395Z\"
 }" 
| spath

Hi, As you can see from the example, the field names are different.

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" 
| table log.APP_NAME, log.level, log.message

How about it?

0 Karma
Reply

aberkow
Builder
‎11-19-2019 04:52 PM

If they're all in the form of "message":"Files Successfully Moved to S3 Bucket*", have you tried that as your search clause?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...