Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Question about not standard source type

glm_cybaze
Engager
‎05-16-2020 07:19 AM

Hi to all, I'm new to the splunk use and I have an issue with a software that write logs in a non standard way (of my fresh knowledge of splunk)
{

"name":"clientLogger",
"level":30,
"levelName":"info",
"msg":"[audio] iceServers",
"time":"2018-08-27T19:32:57.389Z",
"src":"xxxxxx",
"v":1,
"extraInfo":{

"sessionToken":"e7boenucj1pwkbfc",
"meetingId":"183f0bf3a0982a127bdb8161e0c44eb696b3e75c-1535398242909",
"requesterUserId":"w_klfavdlkumj8",
"fullname":"Ios",
"confname":"Demo Meeting",
"externUserID":"w_klfavdlkumj8"
},
"url":"xxxx",
"userAgent":"Mozilla/5.0",
"count":1
}
and in splunk the log are:
alt text

the only info I need are:
- time
- fullname
- confname

But regex don't work and I don't recognize how to set only the proper field!
Some help or how to guide would be helpful!
Thanks in advance!

Labels (3)
Labels
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-16-2020 09:59 AM

rex should work. You didn't say what you tried, so we can't say what you might have done wrong. Try this:

index=foo
| rex "time\":\"(?<time>[^\"]+)"
| rex "fullname\":\"(?<fullname>[^\"]+)"
| rex "confname\":\"(?<confname>[^\"]+)"
| table time, fullname, confname
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-16-2020 04:35 PM

make props.conf

SEDCMD-trim = s/.*?\]//g
TRUNCATE = 0
INDEXED_EXTRACTION = none
KV_MODE = json
SHOULD_LINEMERGE = false

You can see the fields {}.time , extraInfo{}.fullname and extraInfo{}.confname

0 Karma
Reply
Solved! Jump to solution

glm_cybaze
Engager
‎05-16-2020 09:29 PM

Will try this solution too!
Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-16-2020 09:59 AM

rex should work. You didn't say what you tried, so we can't say what you might have done wrong. Try this:

index=foo
| rex "time\":\"(?<time>[^\"]+)"
| rex "fullname\":\"(?<fullname>[^\"]+)"
| rex "confname\":\"(?<confname>[^\"]+)"
| table time, fullname, confname
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

glm_cybaze
Engager
‎05-16-2020 04:27 PM

Thanks, i used in search and work! created report and dashboard! now i try to replicate and add more complex analisys!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-16-2020 04:58 PM

If your problem is resolved then please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...