Splunk Search

Hi Team , I need Field extraction of status Error and INFO status in logs .

Hemant1
Explorer

ERROR [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000MM1K) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:07s:499ms. There were errors during the synchronization!

INFO [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000ML9S) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:17s:091ms. No errors.

 

Labels (1)
0 Karma

daisy_st
Loves-to-Learn Lots

hi, this is a simple extraction. Do events always start with the status? If yes, it will look something like:
| rex field=_raw "(?<status>^\w+)"

You can use regex101.com to fine tune the regex if it is not working.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which parts of these events do you want?

0 Karma

Hemant1
Explorer

i need to extract INFO and Error part 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is wrong with what @daisy_st  suggested?

One reason it might not be working is that the information you provided is not your actual raw event. If that is the case, please provide some real examples.

Another possibility is that you are not looking for search time / SPL extraction but you want to know how to extract this at indexing time. Please can you clarify?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...