Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Show a part of message for dasboard stats table

alwinaugustin
Engager
‎09-30-2021 07:59 AM

I have the following query and I am using it in a dashboard to show the errors categorized. 

index=myindex sourcetype=mysource_type:app | spath message | regex message="^.*error creating account.*$$"|top message

Now, this is working, but it is showing the complete messages. The error messages have the following format most of the time:

message: Log: "error creating account {\"status\":\"error\",\"message\":\"Error while creating account, 500 - Internal Server Error\"}"

Now when the stats table is displayed. I would like to show only the message part from this error message, that is it only needs to show Error while creating an account, 500 - Internal Server Error.  It will be very much helpful someone can point out how I can do this?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-30-2021 02:42 PM

You have at least two different methods of parsing out the message part.

1) (ITWhisperer already showed this solution) find the json part, "fix" it (remove backslashes escaping quotation marks), then use spath on the json data to get the message part.

<your_query> 
| rex "(?<json>\{.*\})" 
| eval json=replace(json,"\\\\\"","\"")
| spath input=json path=message

 It should work but it's a bit... halfhearted because it uses the fact that you have a json structure but it makes too many assumptions about the format and contents of this json.

Therefore you have option

2) Just use a regex to parse out the message value

<your_search> 
| rex "\\\"message\\\":\\\"(?<message>.*)\\\"}\"$"

Quick and dirty but simple and effective. (I'm not sure whether the closing quote is a part of the event or is it just you quoting it. Adjust the regex accordingly if necessary.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2021 01:49 PM 
| makeresults 
| eval _raw="message: Log: \"error creating account {\\\"status\\\":\\\"error\\\",\\\"message\\\":\\\"Error while creating account, 500 - Internal Server Error\\\"}\""



| rex "(?<json>\{[^\}]+\})"
| eval json=replace(json,"\\\\","")
| spath input=json path="message" output=message
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-30-2021 08:23 AM

Hi @alwinaugustin,

you can do this using the eval command.

So if your field is called message, you have to put in your search:

| eval message=if(like(message,"%Error while creating account, 500%"),"Error while creating an account, 500 - Internal Server Error.",message")

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...