How to parse Event to get 3rd item and pieces of 3...

trent6 · ‎06-09-2022

I have a collection of log files that I am trying to parse.
Quick summary:
From Apache/Tomcat using logback

I don't have permission to change the layout of the log files at the moment but can work on that

Event field from the quick parse seems to hold a lot of data that could be separated out into "Fields" via comma separation.

I seem to need the 3rd item in Event if we could parse them by comma

Is there an easy way to do that in the query syntax?

The Event section looks like:
date, something about a filter, THE URL THAT I WANT, other junk etc

2022-05-01 23:15:24, calling SSO: null, /topUrl/rest/services/folder/servicename/command?moreinfoEtc, referer: Null, request ip: 10.xxx.xxx.xxx

So, I'd love to get statistics on

topURL

ServiceName

Any help would be great.

trent6 · ‎06-09-2022

Actually, as I look at the files, they are all CSV. and the item that I want is th 3rd or 4th item.
How do i Splunk Free to just read the filess as csv and treat them as columns? This should be very simple.
Take a months worth of web logs and parse them in to fields based on CSV and allow me to do some basic queries....
How do I read them in as simple csv?

How to parse Event to get 3rd item and pieces of 3rd item?

rex

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash