Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the output of particular text from the log message?

Bala
Explorer
‎03-08-2022 01:05 AM

Hi Team i have a log message and i want to filter the all log messages which contains the below highlighted text. and if the status value is other than 200 status!=200 separate that messages

{"timestamp":"2022-03-04T11:04:41.143Z","message":"ABCDEFG :::{\"status\":200,\"headers\":

{"timestamp":"2022-03-05T11:02:41.143Z","message":"ABCDEFG :::{\"status\":400,\"headers\":

{"timestamp":"2022-03-02T11:05:41.143Z","message":"ABCDEFG :::{\"status\":500,\"headers\":

Labels (1)
Labels
0 Karma
Reply

gcusello
Legend
‎03-08-2022 01:12 AM

Hi @Bala,

when you say "filter" are you meaning at search time or before indexing?

if at search time, you can insert the condition in the main search:

index=your_index ("ABCDEFG :::{\"status\":400" OR "ABCDEFG :::{\"status\":500")
| ...

if before indexing, you have to follow the documentation at https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.

Giuseppe

0 Karma
Reply

Bala
Explorer
‎03-09-2022 06:56 AM

its not working

Log   "message":"ABCDEFG :::{\"status\":200,\"headers\":

| rex field=message "ABCDEFG\s...{."status.":"(?<status>\d+) | table status

am able to see the correct events but not able to see the values 200 in table 

correct me if am missing anything

0 Karma
Reply

gcusello
Legend
‎03-09-2022 08:15 AM

Hi @Bala,

let me understand, is your problem extracting the status field from your logs or what else?

if you want to extractthe status field, you can use a regex, but before a question: are you sure that in your logs there is a backslash "\" before quotes?

if yes, you can use the following regex:

| rex field=message "status\\\":(?<status>\d+)"

that you can test at https://regex101.com/r/cDYieK/1

if not, you can use the following regex:

| rex field=message "status\":(?<status>\d+)"

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...