Splunk Search

Hi Team , I need Field extraction of status Error and INFO status in logs .

Hemant1
Explorer

ERROR [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000MM1K) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:07s:499ms. There were errors during the synchronization!

INFO [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000ML9S) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:17s:091ms. No errors.

 

Labels (1)
0 Karma

daisy_st
Loves-to-Learn Everything

hi, this is a simple extraction. Do events always start with the status? If yes, it will look something like:
| rex field=_raw "(?<status>^\w+)"

You can use regex101.com to fine tune the regex if it is not working.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which parts of these events do you want?

0 Karma

Hemant1
Explorer

i need to extract INFO and Error part 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is wrong with what @daisy_st  suggested?

One reason it might not be working is that the information you provided is not your actual raw event. If that is the case, please provide some real examples.

Another possibility is that you are not looking for search time / SPL extraction but you want to know how to extract this at indexing time. Please can you clarify?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...