Splunk Enterprise

Extract json from event if the event contains the string

karthi25
Path Finder

I have following events in splunk log

{ [-]
   log: {"@timestamp":"2019-11-18T16:02:16.080-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [20191118-160215~0.txt,  20191118-160215~0.txt.gz, ~20191118-160215~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T00:02:16.08107067Z
}
{ [-]
   log: {"@timestamp":"2019-11-19T04:06:07.008-08:00","@version":1,"message":"Processing Ended at 2019-11-19T04:06:07.008-08:00","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T12:06:07.008346529Z
}

{ [-]
   log: {"@timestamp":"2019-11-16T16:00:00.658-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191116-160000~0.txt,  20191116-160000~0.txt.gz,  20191116-160000~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-17T00:00:00.658656167Z
}

{ [-]
   log: {"@timestamp":"2019-11-15T16:00:00.565-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-16T00:00:00.566173395Z
}

Now, I want to extract message,app_name,level from the log only when the message contains the string "Files Succesfully Moved To S3 Bucket".
I already tried the following query:

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" | table APP_NAME,level,message

but it doesn't returns anything.

Labels (1)
0 Karma

woodcock
Esteemed Legend

Try this:

 index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket"
| rename log AS _raw
| kv
| table APP_NAME,level,message
0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw=" { 
    \"log\": {\"@timestamp\": \"2019-11-15T16:00:00.565-08:00\",
    \"@version\": 1,
    \"message\": \"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]\",
    \"logger_name\": \"FileGenerator\",
    \"thread_name\": \"scheduling-1\",
    \"level\": \"INFO\",
    \"level_value\": 20000,
    \"APP_NAME\": \"schedule\"},
    \"stream\": \"stdout\",
    \"time\": \"2019-11-16T00:00:00.566173395Z\"
 }" 
| spath

Hi, As you can see from the example, the field names are different.

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" 
| table log.APP_NAME, log.level, log.message

How about it?

0 Karma

aberkow
Builder

If they're all in the form of "message":"Files Successfully Moved to S3 Bucket*", have you tried that as your search clause?

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...