Splunk Search

How can I extract a string named "CRASHED" from a field containing many strings while creating a dashboard?

New Member
CF_MSG(field name)  : "App instance exited with guid fd4c7738-1dea-449d-a13b-7856d843c5b3 payload: {\"instance\"=\u003e\"90f808fe-bdfa-434c-5bd1-b96e162042b1\", \"index\"=\u003e0, \"reason\"=\u003e\"CRASHED\", \"exit_description\"=\u003e\"2 error(s) occurred:\\n\\n* 1 error(s) occurred:\\n\\n* Codependent step exited\\n* cancelled\", \"crash_count\"=\u003e2, \"crash_timestamp\"=\u003e1479486559346525444, \"version\"=\u003e\"eb5e5ca2-fbb1-4d61-993a-73b13e37ea42\"

I am using this regex but its not giving me any output :

CF_MSG=*CRASHED | stats count by CF_APP_NAME
0 Karma


Searching for (CRASHED) or _raw="CRASHED" as @sundaresh advises will work great but will be searching overall on the event data. Since you already know the field in which the data is coming, CF_MSG, how about using that field itself to make it (maybe) slightly faster than "overall" searches for keyword CRASHED and to avoid catching a CRASHED which is not part of your field CF_MSG but elsewhere in overall raw data. So query you should be looking at besides the two @sundaresh provides is:

index=int_gcg_nam_pcf_application_prod CF_MSG=*(CRASHED)*| stats count by CF_APP_NAME
0 Karma


Try this

index=int_gcg_nam_pcf_application_prod CASE("*CRASHED*") | stats count by CF_APP_NAME


index=int_gcg_nam_pcf_application_prod | regex _raw="CRASHED" | stats count by CF_APP_NAME
0 Karma