Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search time line break using REX

Abskal
Observer
‎09-11-2020 07:16 AM

Hi Splunkers,

 

Can anyone please help with search time line break for the following log.

 

 

{"audits":[{"id":"000","version":1,"modified":"2020-09-11T12:28:44.351897585Z","sortValues":null,"action":{"JobID":"97979779797","Name":"TA"},"user":"x","object":"Jobs","type":"w","identifier":"0h0hh0h0hh"},{"id":"879789","version":1,"modified":"2020-09-11T12:27:46.568076802Z","sortValues":null,"action":{"JobID":"0000000"},"user":"KKK","object":"Jobs","type":"delete","identifier":""},{"id":"90808","version":1,"modified":"2020-09-11T12:25:04.808661137Z","sortValues":null,"action":{"JobID":"9889808088","Name":"KA"},"user":"uy","object":"Jobs","type":"add","identifier":"9878979797"},

 

 

I want to break the logs using {"id.

Thank you!

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 08:08 AM

Are you trying to get each audit as a separate event?

| makeresults | eval event="{\"audits\":[{\"id\":\"000\",\"version\":1,\"modified\":\"2020-09-11T12:28:44.351897585Z\",\"sortValues\":null,\"action\":{\"JobID\":\"97979779797\",\"Name\":\"TA\"},\"user\":\"x\",\"object\":\"Jobs\",\"type\":\"w\",\"identifier\":\"0h0hh0h0hh\"},{\"id\":\"879789\",\"version\":1,\"modified\":\"2020-09-11T12:27:46.568076802Z\",\"sortValues\":null,\"action\":{\"JobID\":\"0000000\"},\"user\":\"KKK\",\"object\":\"Jobs\",\"type\":\"delete\",\"identifier\":\"\"},{\"id\":\"90808\",\"version\":1,\"modified\":\"2020-09-11T12:25:04.808661137Z\",\"sortValues\":null,\"action\":{\"JobID\":\"9889808088\",\"Name\":\"KA\"},\"user\":\"uy\",\"object\":\"Jobs\",\"type\":\"add\",\"identifier\":\"9878979797\"}]}"
| spath input=event path=audits{}
| rename audits{} as audits
| mvexpand audits
| fields audits
| fields - _time
0 Karma
Reply

Abskal
Observer
‎09-11-2020 08:28 AM
Spoiler
Thank you for your response, I am trying to do line break after  {"id": , so that every entry that starts from "id": should appear in new line. 
Tags (1)
0 Karma
Reply

Abskal
Observer
‎09-11-2020 09:13 AM

I am confused that what should be the "eval event="  ? here as I know the field=_raw.

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 09:17 AM

eval event= is me just making some sample data - you can start with

... your search
| spath path=audits{}
| rename audits{} as audits
| mvexpand audits
| fields audits
| fields - _time
0 Karma
Reply

Abskal
Observer
‎09-11-2020 09:32 AM

I tried the below query but no results.

 

index=test_logs
| spath path=audits{}
| rename audits{} as audits
| mvexpand audits
| fields audits
| fields - _time

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2020 10:29 AM

Can you provide a couple of sample events?

index=test_logs
| head 2
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...