Re: How to format event in search

gentcore · ‎09-27-2019

Hi,

I am running a search and the event structure is displaying as:

{ [-]
   line: 2019-09-27 11:47:29,696 [server] INFO  [http-nio-8079-exec-1] [] [] o.s.w.s.DispatcherServlet | Completed initialization in 7 ms
   source: stdout
   tag: 1445465d0f2e
}

Is there any way i can just have the event display as:

2019-09-27 11:47:29,696 [server] INFO  [http-nio-8079-exec-1] [] [] o.s.w.s.DispatcherServlet | Completed initialization in 7 ms

i.e. I am only interested in displaying the "line" data, to make it easier to read through the logs

Cheers.

gcusello · ‎09-27-2019

Hi gentcore,
do you want to display or to index the event in this way ?
if you want to display the event in this way, you can use a regex like this:

your_search
| rex "\{\s+\[-\]\s*line:\s+(?<my_log>[^\}]*)"
| table _time my_log

If instead you want to index only this part of event and discard the rest, you have to insert in your props.conf, in the stanza of this sourcetype:

SEDCMD-my_log = s/\{\s+\[-\]\s*line:\s+//g

You can test the regex at https://regex101.com/r/AZsiou/1 .

Bye.
Giuseppe

How to format event in search

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to format event in search

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...