Splunk Search

How to extract the fields in json format?

vineela
Path Finder

I am trying to extract the fields in json format. But not able to fetch the data.
PFB screenshot for reference:

vineela_0-1679388282823.png

not able to extract fields. Can anyone help on this.

Thanks in Advance.

Labels (1)
0 Karma

vineela
Path Finder

[1=javax.net.ssl.SSLHandshakeException[Remote host terminated the handshake],3=ip-10-31-39-168.ap-southeast-2.compute.internal/10.31.39.168:1417 (ip-10-31-39-168.ap-southeast-2.compute.internal),4=SSLSocket.startHandshake,5=default]\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1325)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)\\n\tat com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)\\n\t... 21 more\\nCaused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake\\n\tat sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1575)\\n\tat sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1405)\\n\tat sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)\\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1294)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1286)\\n\tat java.security.AccessController.doPrivileged(Native Method)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1286)\\n\t... 26 more\\nCaused by: java.io.EOFException: SSL peer shut down incorrectly\\n\tat sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)\\n\tat sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)\\n\tat sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)\\n\t... 32 more\\n java.io.EOFException: SSL peer shut down incorrectly\\n\tat sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:167)\\n\tat sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)\\n\tat sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)\\n\t... 32 common frames omitted\\nWrapped by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake\\n\tat sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1575)\\n\tat sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1405)\\n\tat sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)\\n\tat sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1294)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1286)\\n\tat java.security.AccessController.doPrivileged(Native Method)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1286)\\n\t... 26 common frames omitted\\nWrapped by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host terminated the handshake],3=ip-10-31-39-168.ap-southeast-2.compute.internal/10.31.39.168:1417 (ip-10-31-39-168.ap-southeast-2.compute.internal),4=SSLSocket.startHandshake,5=default]\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1325)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:863)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)\\n\tat com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)\\n\tat com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1730)\\n\t... 21 common frames omitted\\nWrapped by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '10.31.39.168(1417)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host terminated the handshake],3=ip-10-31-39-168.ap-southeast-2.compute.internal/10.31.39.168:1417 (ip-10-31-39-168.ap-southeast-2.compute.internal),4=SSLSocket.startHandshake,5=default]],3=10.31.39.168(1417),5=RemoteTCPConnection.protocolConnect]\\n\tat com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2282)\\n\tat com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1294)\\n\tat  '10.31.39.168(1417)'.\\n\tat  com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection(JmsConnectionFactoryImpl.java:299)\\n\tat com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:236)\\n\tat com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6024)\\n\tat com.ibm.mq.jms.MQConnectionFactory.createConnection(MQConnectionFactory.java:6049)\\n\tat org.springframework.jms.connection.SingleConnectionFactory.doCreateConnection(SingleConnectionFactory.java:410)\\n\tat org.springframework.jms.connection.SingleConnectionFactory.initConnection(SingleConnectionFactory.java:350)\\n\tat org.springframework.jms.connection.SingleConnectionFactory.getConnection(SingleConnectionFactory.java:328)\\n\tat org.springframework.jms.connection.SingleConnectionFactory.createConnection(SingleConnectionFactory.java:243)\\n\tat org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:196)\\n\tat org.springframework.jms.listener.AbstractJmsListeningContainer.createSharedConnection(AbstractJmsListeningContainer.java:412)\\n\tat {"container_id":"167559efc3f8cc23c1a2be1aa697978f1ec5092efc60b7f87b91f28a6f6dea76"},"kubernetes":{"container_name":"pj-npp-event-listener-psu-api","namespace_name":"msaas-badev","pod_name":"pj-npp-event-listener-psu-api-3.3.4.4-f57686594-q4shr","container_image":"pso.docker.internal.cba/pj-npp-jms-listener:3.3.4.4","container_image_id":"docker-pullable://pso.docker.internal.cba/pj-npp-jms-listener@sha256:83b20688216eb0ab4737123a03566c064bc565de4a89858978abdf4333b48ea0","pod_id":"8d7f77a2-0111-474d-82e2-c66103a4d807","pod_ip":"100.64.186.130","host":"ip-10-3-198-164.ap-southeast-2.compute.internal","labels":{"app":"pj-npp-event-listener","app.kubernetes.io/instance":"pj-npp-event-listener","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"pj-npp-event-listener","helm.sh/chart":"psu-api-1.7.0","heritage":"Helm","pod-template-hash":"f57686594","project":"pjpds","release":"pj-npp-event-listener"},"master_url":"https://172.20.0.1:443/api","namespace_id":"25c93690-5c3b-4f2b-a967-8d0355ea90f2","namespace_labels":{"argocd.argoproj.io/instance":"appspaces","ci":"CM0953076","kubernetes.io/metadata.name":"msaas-badev","name":"msaas-badev","platform":"PSU","service_owner":"somersd","spg":"CBA_PAYMENTS_TEST_COORDINATION"}},"hostname":"ip-10-3-198-164.ap-southeast-2.compute.internal","host_ip":"10.3.198.164","cluster":"nonprod/pmn02"}

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I guess I meant the full event 

in a code block to preserve formatting

Having said that, you appear to only be trying to extract from the log field, has this been correctly extracted? Can you share an example? Is this extraction failing for all your events or only some of them?

0 Karma

vineela
Path Finder

Yes, i need to extract errorcode and errormessage from log field which is in json format.

The log looks like this:
{"log":"21/Mar/2023:20:06:29 +1100 [defaultJmsListenerContainer-1] [correlationId=] ERROR au.com.commbank.pso.payments.pj.listener.util.LoggingUtil - Severity=ERROR, DateTimestamp=21/Mar/2023 20:06:29, ErrorCode=PJ_LISTENER_ERR_0003, ErrorMessage=PJ Listener connection to MQ has failed, MicroserviceName=PJ_LISTENER, ExceptionStackTrace=com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'NPAT01' with connection mode 'Client' and host name '10.31.39.168(1417)'.\\nCheck the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information."}

 

I used this query to extract the data from this:
index="a0_payservutil_generic_app_audit_npd" sourcetype="cba:appinfra:hec:json" "PJ_LISTENER_ERR_000*"
| rename _raw as temp, log as _raw | kv | rename temp as _raw
|table ErrorCode ErrorMessage

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If this isn't working for you, it would seem to suggest that the log field has not been extracted.

In this example, representing your event, I have used spath to extract log from the _raw field before switching to with the _raw field to use kv

| makeresults
| eval _raw="{\"log\":\"21/Mar/2023:20:06:29 +1100 [defaultJmsListenerContainer-1] [correlationId=] ERROR au.com.commbank.pso.payments.pj.listener.util.LoggingUtil - Severity=ERROR, DateTimestamp=21/Mar/2023 20:06:29, ErrorCode=PJ_LISTENER_ERR_0003, ErrorMessage=PJ Listener connection to MQ has failed, MicroserviceName=PJ_LISTENER, ExceptionStackTrace=com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'NPAT01' with connection mode 'Client' and host name '10.31.39.168(1417)'.\\nCheck the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.\"}"
| spath
| rename _raw as temp, log as _raw
| kv
| rename temp as _raw
| table ErrorCode ErrorMessage
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share your raw event in a code block </> rather than a picture, so that it can be used to test solutions?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...