Splunk Search
Highlighted

Get Json object from the splunk log as a field

Path Finder

I am having the splunk log in the following format:

2018-03-02T17:02:27.453185+00:00 ESP-Finance-NPE.development.abctestprocessor-dev a36c4e54-dc5a-4d23-afb3-10f1661b19b4[[APP/PROC/WEB/0]]: cf_foundation=*** cf_app_name=*** cf_app_id=a36c4e54-dc5a-4d23-afb3-10f1661b19b4 cf_org_name=**** cf_org_id=*** cf_space_name=development cf_space_id=*** .source.s_cf_apps 2018-03-02 09:02:27.452 ERROR 14 --- [TaskExecutor-82] c.tmobile.finance.service.LoggerService  : {"host_endpoint":"","domain":"CUSTOMER_FINANCE","component":"abctestProcessor","log_type":"ERROR","space_name":"development","event_source":"DEEP_PROXY","api_name":"test_abc","api_id":"a36c4e54-dc5a-4d23-afb3-10f1661b19b4","message_format":"application/json","error_code":0,"stack_trace":"com.tmobile.deep.abc.exception.FinanceSystemE"operation_name":"testEquipmentSerialNumberUpdateCompleted","testId":"testString","msisdn":"testString","guid":"testString","activityid":"testString","api_request":{"eventId":"event123","sourceId":null,"eventType":"testEquipmentSerialNumberUpdateCompleted","eventTime":{"offset":{"totalSeconds":0,"id":"Z","rules":{"fixedOffset":true,"transitions":[],"transitionRules":[]}},"hour":0,"minute":30,"second":21,"nano":298000000,"year":2018,"month":"FEBRUARY","dayOfMonth":10,"dayOfWeek":"SATURDAY","dayOfYear":41,"monthValue":2},"eventProducerId":"Produce123","eventVersion":"testString","specifications":[{"name":"testString","value":"testString"}],"auditInfo":{"customerId":"testString","accountNumber":"testString","universalLineId":"testString","lineId":"testString","phoneNumber":"testString","iamUniqueId":"testString","batchId":"testString","orderId":"testString"},"headerReference":{"activityId":"testString","applicationId":"testString","applicationUserId":"testString","authCustomerId":"testString","authFinancialAccountId":"testString","authLineOfServiceId":"testString","channelId":"testString","dealerCode":"testString","interactionId":"testString","masterDealerCode":"testString","segmentationId":"testString","senderId":"testString","sessionId":"testString","storeId":"testString","terminalId":"testString","tillId":"testString","workflowId":"testString","timestamp":{"offset":{"totalSeconds":0,"id":"Z","rules":{"fixedOffset":true,"transitions":[],"transitionRules":[]}},"hour":0,"minute":30,"second":21,"nano":298000000,"year":2018,"month":"FEBRUARY","dayOfMonth":10,"dayOfWeek":"SATURDAY","dayOfYear":41,"monthValue":2}},"payload":{"createtestRequest":{"header":{"senderid":"testString","channelid":"testString"},"tests":{"account":{"universalLineId":"testString"},"sourceTransactionTime":"2018-02-10T00:30:21.298Z","phoneNumber":"testString","purchasedEquipment":{"description":"testString","imei":"testString"},"testId":"testString"}}},"processContext":{"rootId":"67310650-1e3b-11e8-945d-a5cf584f50bc","parentId":"67310650-1e3b-11e8-945d-a5cf584f50bc","spaceName":"development"},"currentRetryCount":0,"maxRetryAttempts":0,"retryDelay":0,"taskId":null,"errorData":null,"status":null,"subStatus":null},"api_response":"org.hibernate.exception.GenericJDBCException: Error calling CallableStatement.getMoreResults","httpStatusCode":"503","key":"testString","additionalAttributes":{}}

Now I want to extract all the payload content , (i.e) my query should returns the following

   {"createtestRequest":{"header":{"senderid":"testString","channelid":"testString"},"tests":{"account":{"universalLineId":"testString"},"sourceTransactionTime":"2018-02-10T00:30:21.298Z","phoneNumber":"testString","purchasedEquipment":{"description":"testString","imei":"testString"},"testId":"testString"}}},"processContext":{"rootId":"67310650-1e3b-11e8-945d-a5cf584f50bc","parentId":"67310650-1e3b-11e8-945d-a5cf584f50bc","spaceName":"development"},"currentRetryCount":0,"maxRetryAttempts":0,"retryDelay":0,"taskId":null,"errorData":null,"status":null,"subStatus":null}

I tried the following query , but it returns nothing,

index=*** sourcetype=*** "cf_foundation=px-***" cf_org_name="ESP-Finance-NPE" cf_app_name="***-dev"| rex field=_raw "eventId\"\:\"(?<eventId>[^\"]+)" |search eventId=event123 |rex "(?< payload>{[^}]+})"| table eventId,payload

Can anyone please suggest me what am doing wrong and provide me the correct solution for it.

0 Karma
Highlighted

Re: Get Json object from the splunk log as a field

SplunkTrust
SplunkTrust

According to regex101.com, your regex strings are good, except for the space before "payload".
I would try changing "cf_foundation=px-***" to cf_foundation="px-***".
If you still get nothing, delete everything after the first pipe and make sure you get the events you expect. Then add each pipe in turn to verify they do what you expect.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Get Json object from the splunk log as a field

Legend

@karthi25, if you are extracting eventId to filter "event123" from your _raw events then rex field extraction is not required. You can filter directly in your base search using "\"eventid\":\"event123\""

Following is a run anywhere search based on the sample data provided which extracts the payload data

| makeresults
| eval _raw="2018-03-02T17:02:27.453185+00:00 ESP-Finance-NPE.development.abctestprocessor-dev a36c4e54-dc5a-4d23-afb3-10f1661b19b4[[APP/PROC/WEB/0]]: cf_foundation=*** cf_app_name=*** cf_app_id=a36c4e54-dc5a-4d23-afb3-10f1661b19b4 cf_org_name=**** cf_org_id=*** cf_space_name=development cf_space_id=*** .source.s_cf_apps 2018-03-02 09:02:27.452 ERROR 14 --- [TaskExecutor-82] c.tmobile.finance.service.LoggerService  : {\"host_endpoint\":\"\",\"domain\":\"CUSTOMER_FINANCE\",\"component\":\"abctestProcessor\",\"log_type\":\"ERROR\",\"space_name\":\"development\",\"event_source\":\"DEEP_PROXY\",\"api_name\":\"test_abc\",\"api_id\":\"a36c4e54-dc5a-4d23-afb3-10f1661b19b4\",\"message_format\":\"application/json\",\"error_code\":0,\"stack_trace\":\"com.tmobile.deep.abc.exception.FinanceSystemE\"operation_name\":\"testEquipmentSerialNumberUpdateCompleted\",\"testId\":\"testString\",\"msisdn\":\"testString\",\"guid\":\"testString\",\"activityid\":\"testString\",\"api_request\":{\"eventId\":\"event123\",\"sourceId\":null,\"eventType\":\"testEquipmentSerialNumberUpdateCompleted\",\"eventTime\":{\"offset\":{\"totalSeconds\":0,\"id\":\"Z\",\"rules\":{\"fixedOffset\":true,\"transitions\":[],\"transitionRules\":[]}},\"hour\":0,\"minute\":30,\"second\":21,\"nano\":298000000,\"year\":2018,\"month\":\"FEBRUARY\",\"dayOfMonth\":10,\"dayOfWeek\":\"SATURDAY\",\"dayOfYear\":41,\"monthValue\":2},\"eventProducerId\":\"Produce123\",\"eventVersion\":\"testString\",\"specifications\":[{\"name\":\"testString\",\"value\":\"testString\"}],\"auditInfo\":{\"customerId\":\"testString\",\"accountNumber\":\"testString\",\"universalLineId\":\"testString\",\"lineId\":\"testString\",\"phoneNumber\":\"testString\",\"iamUniqueId\":\"testString\",\"batchId\":\"testString\",\"orderId\":\"testString\"},\"headerReference\":{\"activityId\":\"testString\",\"applicationId\":\"testString\",\"applicationUserId\":\"testString\",\"authCustomerId\":\"testString\",\"authFinancialAccountId\":\"testString\",\"authLineOfServiceId\":\"testString\",\"channelId\":\"testString\",\"dealerCode\":\"testString\",\"interactionId\":\"testString\",\"masterDealerCode\":\"testString\",\"segmentationId\":\"testString\",\"senderId\":\"testString\",\"sessionId\":\"testString\",\"storeId\":\"testString\",\"terminalId\":\"testString\",\"tillId\":\"testString\",\"workflowId\":\"testString\",\"timestamp\":{\"offset\":{\"totalSeconds\":0,\"id\":\"Z\",\"rules\":{\"fixedOffset\":true,\"transitions\":[],\"transitionRules\":[]}},\"hour\":0,\"minute\":30,\"second\":21,\"nano\":298000000,\"year\":2018,\"month\":\"FEBRUARY\",\"dayOfMonth\":10,\"dayOfWeek\":\"SATURDAY\",\"dayOfYear\":41,\"monthValue\":2}},\"payload\":{\"createtestRequest\":{\"header\":{\"senderid\":\"testString\",\"channelid\":\"testString\"},\"tests\":{\"account\":{\"universalLineId\":\"testString\"},\"sourceTransactionTime\":\"2018-02-10T00:30:21.298Z\",\"phoneNumber\":\"testString\",\"purchasedEquipment\":{\"description\":\"testString\",\"imei\":\"testString\"},\"testId\":\"testString\"}}},\"processContext\":{\"rootId\":\"67310650-1e3b-11e8-945d-a5cf584f50bc\",\"parentId\":\"67310650-1e3b-11e8-945d-a5cf584f50bc\",\"spaceName\":\"development\"},\"currentRetryCount\":0,\"maxRetryAttempts\":0,\"retryDelay\":0,\"taskId\":null,\"errorData\":null,\"status\":null,\"subStatus\":null},\"api_response\":\"org.hibernate.exception.GenericJDBCException: Error calling CallableStatement.getMoreResults\",\"httpStatusCode\":\"503\",\"key\":\"testString\",\"additionalAttributes\":{}}"
| search "\"eventid\":\"event123\""
| rex "{\"eventId\":\"(?<eventId>[^\"]+)"
| rex ",\"payload\":(?<payload>.*),\"api_response\""
| table eventId payload

PS: I have retained eventId field in case you need it to be displayed in result.




| eval message="Happy Splunking!!!"


0 Karma