Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Want to extract "component","environment" & "componentType" and there corresponding value in table format.

JyotiP
Path Finder
‎07-22-2019 04:41 AM

I have the following log output and I want to extract "component", "environment" & "component type" and their corresponding value in table format.

Level="INFO", Date="2019-07-22 08:43:44,141", Message="{"Protocol":"https","Path":"/api/infrastructure/qualitygate/v1/qualityGateStatus","Verb":"GET","QueryParams":{"component":"help-website-stack","version":"1.0.291","environment":"testenvironment","componentType":"stack"},"body":{},"StatusCode":200,"Details":{"component":"help-website-stack","version":"1.0.291","sonarStatus":true,"integrationTestStatus":true,"status":true,"message":"","coverage":"0.0","newCoverage":"0.0"}}
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎07-22-2019 04:59 AM

Hi

Try this

| makeresults 
| eval test="Level=\"INFO\", Date=\"2019-07-22 08:43:44,141\", Message=\"{\"Protocol\":\"https\",\"Path\":\"/api/infrastructure/qualitygate/v1/qualityGateStatus\",\"Verb\":\"GET\",\"QueryParams\":{\"component\":\"help-website-stack\",\"version\":\"1.0.291\",\"environment\":\"testenvironment\",\"componentType\":\"stack\"},\"body\":{},\"StatusCode\":200,\"Details\":{\"component\":\"help-website-stack\",\"version\":\"1.0.291\",\"sonarStatus\":true,\"integrationTestStatus\":true,\"status\":true,\"message\":\"\",\"coverage\":\"0.0\",\"newCoverage\":\"0.0\"}}" 
| rex field=test "\{\"component\"\:\"(?P<Component>[^\",]+).+\"environment\"\:\"(?P<Environment>[^,]+)\",\"componentType\"\:\"(?P<ComponentType>[^\"\}]+)" 
| table Component,Environment,ComponentType

View solution in original post

0 Karma
Reply
Solved! Jump to solution

JyotiP
Path Finder
‎07-23-2019 01:45 AM

@vnravikumar why .+ why not ',' ?

0 Karma
Reply
Solved! Jump to solution

JyotiP
Path Finder
‎07-24-2019 01:22 AM

@vnravikumar I want to include also the newCoverage into the table. And I am using .+\"newCoverage\":\"(?P[^\"]+. I am able to retrieve the result but when the value for
newCoverage is null/blank it is not retrieving anything. What shall I do?

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎07-24-2019 01:55 AM

Hi

Try the below method, as per your sample data Message are in JSON format. so I used spath to extract the info

[updated:]

| makeresults 
 | eval test="Level=\"INFO\", Date=\"2019-07-22 08:43:44,141\", Message=\"{\"Protocol\":\"https\",\"Path\":\"/api/infrastructure/qualitygate/v1/qualityGateStatus\",\"Verb\":\"GET\",\"QueryParams\":{\"component\":\"help-website-stack\",\"version\":\"1.0.291\",\"environment\":\"testenvironment\",\"componentType\":\"stack\"},\"body\":{},\"StatusCode\":200,\"Details\":{\"component\":\"help-website-stack\",\"version\":\"1.0.291\",\"sonarStatus\":true,\"integrationTestStatus\":true,\"status\":true,\"message\":\"\",\"coverage\":\"0.0\",\"newCoverage\":\"0.0\"}}" 
 | rex field=test "Message\=\"(?P<Message>.*)}}$" 
 | spath input=Message path=QueryParams.component output="Component" 
 | spath input=Message path=QueryParams.environment output="Environment" 
 | spath input=Message path=QueryParams.componentType output="Component Type" 
 | spath input=Message path=Details.newCoverage output="New Coverage" 
 | table Component Environment "Component Type" "New Coverage"
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎07-23-2019 01:50 AM

As per your sample data, the version field was in-between component and environment to skip that I had used .+

0 Karma
Reply
Solved! Jump to solution

JyotiP
Path Finder
‎07-23-2019 01:56 AM

Oh got it, make sense as well.

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎07-22-2019 04:59 AM

Hi

Try this

| makeresults 
| eval test="Level=\"INFO\", Date=\"2019-07-22 08:43:44,141\", Message=\"{\"Protocol\":\"https\",\"Path\":\"/api/infrastructure/qualitygate/v1/qualityGateStatus\",\"Verb\":\"GET\",\"QueryParams\":{\"component\":\"help-website-stack\",\"version\":\"1.0.291\",\"environment\":\"testenvironment\",\"componentType\":\"stack\"},\"body\":{},\"StatusCode\":200,\"Details\":{\"component\":\"help-website-stack\",\"version\":\"1.0.291\",\"sonarStatus\":true,\"integrationTestStatus\":true,\"status\":true,\"message\":\"\",\"coverage\":\"0.0\",\"newCoverage\":\"0.0\"}}" 
| rex field=test "\{\"component\"\:\"(?P<Component>[^\",]+).+\"environment\"\:\"(?P<Environment>[^,]+)\",\"componentType\"\:\"(?P<ComponentType>[^\"\}]+)" 
| table Component,Environment,ComponentType
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...