Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hi Team , I need Field extraction of status Error and INFO status in logs .

Hemant1
Explorer
‎12-02-2020 05:51 AM

ERROR [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000MM1K) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:07s:499ms. There were errors during the synchronization!

INFO [monki_HMCatalogSyncJob::de.hybris.platform.servicelayer.internal.jalo.ServicelayerJob] -[J= U= C=] (monki) (0000ML9S) [CatalogVersionSyncJob] Finished synchronization in 0d 00h:00m:17s:091ms. No errors.

 

Labels (1)
Labels
0 Karma
Reply

daisy_st
Loves-to-Learn Everything
‎12-02-2020 02:25 PM

hi, this is a simple extraction. Do events always start with the status? If yes, it will look something like:
| rex field=_raw "(?<status>^\w+)"

You can use regex101.com to fine tune the regex if it is not working.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2020 05:58 AM

Which parts of these events do you want?

0 Karma
Reply

Hemant1
Explorer
‎12-02-2020 09:58 PM

i need to extract INFO and Error part 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-03-2020 01:49 AM

What is wrong with what @daisy_st  suggested?

One reason it might not be working is that the information you provided is not your actual raw event. If that is the case, please provide some real examples.

Another possibility is that you are not looking for search time / SPL extraction but you want to know how to extract this at indexing time. Please can you clarify?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...