Splunk Search

How to extract Specific field and segregate the bunched eventslogs

john_snow
Engager

I have logs coming from AWS,
first, I need to get just a message (which is an event) from the log 
Second, in some logs, we have multiple messages inside log events,
How I can just show logEvents{}.message and segregate the messages from the logs? 

Sample log is

{
 [-] 
   logEvents: [ [-] 
     { [-] 
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
     { [-]
     } 
   ] 

   logGroup: CloudTrail 
   logStream: 1234567890_CloudTrail_us-east-1 
   messageType: DATA_MESSAGE 
   owner:1234567890 
   subscriptionFilters: [ [-]
   ] 

}

Labels (3)
Tags (4)

ITWhisperer
SplunkTrust
SplunkTrust
| spath input=event logEvents{}.message

This assumes that event contains just the JSON format part of the log.

john_snow
Engager

How I can separate messages from the nested log like in the below log I wanted to separate each message in a log event. We can have single or multiple meesga in a LogEven

{ [-] 
   logEvents: [ [-] 
     { [-] 
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
     { [-]
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
   ] 
   logGroup: CloudTrail 
   logStream: 1234567890_CloudTrail_us-east-1 
   messageType: DATA_MESSAGE 
   owner:1234567890 
   subscriptionFilters: [ [-]
   ] 
}
Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

First extract logEvents{}, then extract message from those. Something like

| spath logEvents{} output=logEvents
| mvexpand logEvents
| spath input=logEvents message

You may need the mvexpand to separate out the different messages.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...