How to get the output of particular text from the ...

Bala · ‎03-08-2022

Hi Team i have a log message and i want to filter the all log messages which contains the below highlighted text. and if the status value is other than 200 status!=200 separate that messages

{"timestamp":"2022-03-04T11:04:41.143Z","message":"ABCDEFG :::{\"status\":200,\"headers\":

{"timestamp":"2022-03-05T11:02:41.143Z","message":"ABCDEFG :::{\"status\":400,\"headers\":

{"timestamp":"2022-03-02T11:05:41.143Z","message":"ABCDEFG :::{\"status\":500,\"headers\":

gcusello · ‎03-08-2022

Hi @Bala,

when you say "filter" are you meaning at search time or before indexing?

if at search time, you can insert the condition in the main search:

index=your_index ("ABCDEFG :::{\"status\":400" OR "ABCDEFG :::{\"status\":500")
| ...

if before indexing, you have to follow the documentation at https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.

Giuseppe

Bala · ‎03-09-2022

its not working

Log "message":"ABCDEFG :::{\"status\":200,\"headers\":

| rex field=message "ABCDEFG\s...{."status.":"(?<status>\d+) | table status

am able to see the correct events but not able to see the values 200 in table

correct me if am missing anything

gcusello · ‎03-09-2022

Hi @Bala,

let me understand, is your problem extracting the status field from your logs or what else?

if you want to extractthe status field, you can use a regex, but before a question: are you sure that in your logs there is a backslash "\" before quotes?

if yes, you can use the following regex:

| rex field=message "status\\\":(?<status>\d+)"

that you can test at https://regex101.com/r/cDYieK/1

if not, you can use the following regex:

| rex field=message "status\":(?<status>\d+)"

Ciao.

Giuseppe

How to get the output of particular text from the log message?

rex

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!