Splunk Search

Hi Team , I need Field extraction of status Error and INFO status in logs .

Hemant1
Explorer

ERROR [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000MM1K) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:07s:499ms. There were errors during the synchronization!

INFO [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000ML9S) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:17s:091ms. No errors.

 

Labels (1)
0 Karma

daisy_st
Loves-to-Learn Lots

hi, this is a simple extraction. Do events always start with the status? If yes, it will look something like:
| rex field=_raw "(?<status>^\w+)"

You can use regex101.com to fine tune the regex if it is not working.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which parts of these events do you want?

0 Karma

Hemant1
Explorer

i need to extract INFO and Error part 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is wrong with what @daisy_st  suggested?

One reason it might not be working is that the information you provided is not your actual raw event. If that is the case, please provide some real examples.

Another possibility is that you are not looking for search time / SPL extraction but you want to know how to extract this at indexing time. Please can you clarify?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...