I have the logs in this way :
measures: {
API.V1.WEBS_ENTITLED_PRODUCTS: 296
success: 300
}
what can be the query so that i can display the field " API.V1.WEBS_ENTITLED_PRODUCTS" and not its value.
I want the output as "API.V1.WEBS_ENTITLED_PRODUCTS"
Hi @payyachamy,
you could use a regex like the following:
your_search
| rex "measures:\s+\{\s+(?<your_field>[^:]+)"
that you can test at https://regex101.com/r/0uOTvQ/1
Ciao.
Giuseppe
your_search | rex "measures:\s+\{\s+(?<your_field>[^:]+)"
but the issue with this query is this particular field keeps on changing, so the query should be dynamic to pick the field which is coming in.
And what would be the criteria for selecting this particular event? Do you have this field parsed out of the event?
measures: {
API.V1.WEBS_ENTITLED_PRODUCTS: 296
success: 300
}
metadata: {
downlink: 10
effectiveType: 4g
}
name: WIDGET_LOAD.PIU
the thing here is I need a query which shows the API that is responsible for a widget load.
so I need a table which shows :
WIDGET. | API
-------------------------------------------------------------------
WIDGET_LOAD.PIU |. API.V1.WEBS_ENTITLED_PRODUCTS
Unfortunately, splunk has very limited event-level introspection capacities so you have to parse out the field name from the raw event on your own. If your event structure is relatively strict, it should be possible with regexes similarily to what @gcusello showed.