Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Show a part of message for dasboard stats table

alwinaugustin
Engager
‎09-30-2021 07:59 AM

I have the following query and I am using it in a dashboard to show the errors categorized. 

index=myindex sourcetype=mysource_type:app | spath message | regex message="^.*error creating account.*$$"|top message

Now, this is working, but it is showing the complete messages. The error messages have the following format most of the time:

message: Log: "error creating account {\"status\":\"error\",\"message\":\"Error while creating account, 500 - Internal Server Error\"}"

Now when the stats table is displayed. I would like to show only the message part from this error message, that is it only needs to show Error while creating an account, 500 - Internal Server Error.  It will be very much helpful someone can point out how I can do this?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-30-2021 02:42 PM

You have at least two different methods of parsing out the message part.

1) (ITWhisperer already showed this solution) find the json part, "fix" it (remove backslashes escaping quotation marks), then use spath on the json data to get the message part.

<your_query> 
| rex "(?<json>\{.*\})" 
| eval json=replace(json,"\\\\\"","\"")
| spath input=json path=message

 It should work but it's a bit... halfhearted because it uses the fact that you have a json structure but it makes too many assumptions about the format and contents of this json.

Therefore you have option

2) Just use a regex to parse out the message value

<your_search> 
| rex "\\\"message\\\":\\\"(?<message>.*)\\\"}\"$"

Quick and dirty but simple and effective. (I'm not sure whether the closing quote is a part of the event or is it just you quoting it. Adjust the regex accordingly if necessary.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2021 01:49 PM 
| makeresults 
| eval _raw="message: Log: \"error creating account {\\\"status\\\":\\\"error\\\",\\\"message\\\":\\\"Error while creating account, 500 - Internal Server Error\\\"}\""



| rex "(?<json>\{[^\}]+\})"
| eval json=replace(json,"\\\\","")
| spath input=json path="message" output=message
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-30-2021 08:23 AM

Hi @alwinaugustin,

you can do this using the eval command.

So if your field is called message, you have to put in your search:

| eval message=if(like(message,"%Error while creating account, 500%"),"Error while creating an account, 500 - Internal Server Error.",message")

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...