Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

fields are not extracted properly

srivenna
Engager
‎01-12-2022 11:33 AM

recently we onboarded these logs but most of the fields are not extracted though these values are mentioned with =. I am trying to extract batch_id , tran_id and pricing hashcode and rules hashcode.  I tried to extract from GUI but i am seeing lot of mismatches. can anyone help me with this.

here are sample logs

{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014308933}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996302000}

{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014334358}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996327000}

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-14-2022 07:36 PM

If you already see fields like logGroup, that means spath is redundant. (See Alternatives to the spath command.) To capture those key-value pairs separated by :, try

 

| rename _raw as temp, cwmessage as _raw
| rex mode=sed "s/ - / + /g"
| kv pairdelim="|+" kvdelim="=:"
| rename _raw as cwmessage, temp as _raw

 

The rex command is to establish a unique delimiter.  The pairs are separated by " - " (space-space), but "-" appears in some values.  I notice that "+" is not used anywhere in cwmessage, therefore "+" would be a good candidate.  The above does not restore cwmessage to its original content as I sense that you wouldn't use it further.

Using the same sample data, the output is

_time_rawPricing_Info___Pricing_HashcodeRules_Hashcodeappcodeaws_acctidaws_appshortnameaws_regionbatch_idcomponentcwmessagecwtimestampdealset_idexecution_typeinvestorCommitmentIdentifierlifecycleloand_countlogGrouplogStreammessageIdpoolIdentifiersellerIdsellerLoanIdentifierseller_idsession_idsplunkdata.rvtsplunkdata.shard_idsplunkdata.splkhftran_iduniqueClientDealIdentifieruser_id
2022-01-12 06:05:02{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014308933}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996302000}1761264532-1500207091FVV189693026861ldcsus-east-19a6e8ba3-2c01-4b18-bbfb-88a854bbdb85LD-PRICING2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS + Pricing Info ~ Pricing Hashcode: 1761264532 + Rules Hashcode: -1500207091 + uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 + sellerLoanIdentifier: BTP22_0111_B10 + poolIdentifier: null + investorCommitmentIdentifier: 116784 + sellerId: 1657000071641996302000116784WholeLoan116784devl-shared1ldcs-devl-eb-06-webapp-Applicationip-10-108-18-243 (i-004009051755596bb) - ld-pricing.logID:SOADevl-ems08.752D61D05D2DBE2E02:414null165700007BTP22_0111_B10165700007D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl021642014308933000000000020spitsi-acpt-log-heavy-49a6e8ba3-2c01-4b18-bbfb-88a854bbdb85a37801e4-dbe6-4c3a-bc26-17d1a78a0b28c9273wne
2022-01-12 06:05:27{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014334358}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996327000}1761264532-1500207091FVV189693026861ldcsus-east-1751b1112-0511-4dbd-b94c-a6409c23b20dLD-PRICING2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS + Pricing Info ~ Pricing Hashcode: 1761264532 + Rules Hashcode: -1500207091 + uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 + sellerLoanIdentifier: BTP22_0111_B10 + poolIdentifier: null + investorCommitmentIdentifier: 116784 + sellerId: 1657000071641996327000116784WholeLoan116784devl-shared1ldcs-devl-eb-06-webapp-Applicationip-10-108-18-243 (i-004009051755596bb) - ld-pricing.logID:SOADevl-ems08.752D61D05D2DBE2E0A:457null165700007BTP22_0111_B10165700007D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl021642014334358000000000020spitsi-acpt-log-heavy-4751b1112-0511-4dbd-b94c-a6409c23b20da37801e4-dbe6-4c3a-bc26-17d1a78a0b28c9273wne

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎01-12-2022 11:08 PM

Clearly the logs are in JSON.  However, it is unclear whether logs are ingested with a JSON sourcetype, that is, whether JSON extraction is performed at indexing time.  If they are, Splunk would already have fields like logGroup, aws_acctid, cwtimestamp and, most importantly, cwmessage.  All key-value pairs are in cwmessage.

If cwmessage is already available to you, try

 

| rename _raw as temp, cwmessage as _raw
| kv pairdelim="|" kvdelim="="
| rename _raw as cwmessage, temp as _raw

 

kv is an alias of extract.  If the log is ingested without JSON format but _raw events are still valid JSON as you illustrated, add spath command at the beginning, i.e.,

 

| spath
| rename _raw as temp, cwmessage as _raw
| kv pairdelim="|" kvdelim="="
| rename _raw as cwmessage, temp as _raw

 

Note the forward and backward renames are  just to preserve  original fields.   If that's  not  a concern for next filters, "rename cwmessage AS _raw" before kv suffices.

Example: Given dataset

_time_raw
2022-01-12 06:05:02{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014308933}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996302000}
2022-01-12 06:05:27{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014334358}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996327000}

the above filters will render something like the following, including fields of your interest.

_time_rawappcodeaws_acctidappshortnameaws_regionbatch_idcomponentcwmessagecwtimestampdealset_idexecution_timelifestyleloan_countlogGrouplogStreammessageIdseller_idsession_idsplunkdata.rvtsplunkdata.shard_idsplunkdata.splkhftran_iduser_id
2022-01-12 06:05:02{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014308933}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996302000}FVV189693026861ldcsus-east-19a6e8ba3-2c01-4b18-bbfb-88a854bbdb85LD-PRICING2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 1657000071641996302000116784WholeLoandevl-shared1ldcs-devl-eb-06-webapp-Applicationip-10-108-18-243 (i-004009051755596bb) - ld-pricing.logID:SOADevl-ems08.752D61D05D2DBE2E02:414165700007D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl021642014308933000000000020spitsi-acpt-log-heavy-49a6e8ba3-2c01-4b18-bbfb-88a854bbdb85c9273wne
2022-01-12 06:05:27{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014334358}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996327000}FVV189693026861ldcsus-east-1751b1112-0511-4dbd-b94c-a6409c23b20dLD-PRICING2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 1657000071641996327000116784WholeLoandevl-shared1ldcs-devl-eb-06-webapp-Applicationip-10-108-18-243 (i-004009051755596bb) - ld-pricing.logID:SOADevl-ems08.752D61D05D2DBE2E0A:457165700007D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl021642014334358000000000020spitsi-acpt-log-heavy-4751b1112-0511-4dbd-b94c-a6409c23b20dc9273wne

 

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

srivenna
Engager
‎01-13-2022 06:31 AM

Thank you for your response. yes Splunk has extracted all these  fields like logGroupaws_acctidcwtimestamp and, most importantly, cwmessage. how can i extract fields from cwmessagge seperated with pipe. Mainly i am looking for fields tran_id, batch_id and pricing hascode and rules hashcode. Do i need to write any props or i can do field extraction with the query?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

srivenna
Engager
‎01-13-2022 06:46 AM

I tried this 

| spath
| rename _raw as temp, cwmessage as _raw
| kv pairdelim="|" kvdelim="="

All = fields are extracted. But fields with " : " are not extracted. I am  specifically looking for Pricing hashcode and rules hashcode.   Thanks again.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-14-2022 07:36 PM

If you already see fields like logGroup, that means spath is redundant. (See Alternatives to the spath command.) To capture those key-value pairs separated by :, try

 

| rename _raw as temp, cwmessage as _raw
| rex mode=sed "s/ - / + /g"
| kv pairdelim="|+" kvdelim="=:"
| rename _raw as cwmessage, temp as _raw

 

The rex command is to establish a unique delimiter.  The pairs are separated by " - " (space-space), but "-" appears in some values.  I notice that "+" is not used anywhere in cwmessage, therefore "+" would be a good candidate.  The above does not restore cwmessage to its original content as I sense that you wouldn't use it further.

Using the same sample data, the output is

_time_rawPricing_Info___Pricing_HashcodeRules_Hashcodeappcodeaws_acctidaws_appshortnameaws_regionbatch_idcomponentcwmessagecwtimestampdealset_idexecution_typeinvestorCommitmentIdentifierlifecycleloand_countlogGrouplogStreammessageIdpoolIdentifiersellerIdsellerLoanIdentifierseller_idsession_idsplunkdata.rvtsplunkdata.shard_idsplunkdata.splkhftran_iduniqueClientDealIdentifieruser_id
2022-01-12 06:05:02{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014308933}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996302000}1761264532-1500207091FVV189693026861ldcsus-east-19a6e8ba3-2c01-4b18-bbfb-88a854bbdb85LD-PRICING2022-01-12 14:05:02.322|[DefaultThreadPool-18] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|batch_id=9a6e8ba3-2c01-4b18-bbfb-88a854bbdb85|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E02:414|ENDOFFIELDS + Pricing Info ~ Pricing Hashcode: 1761264532 + Rules Hashcode: -1500207091 + uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 + sellerLoanIdentifier: BTP22_0111_B10 + poolIdentifier: null + investorCommitmentIdentifier: 116784 + sellerId: 1657000071641996302000116784WholeLoan116784devl-shared1ldcs-devl-eb-06-webapp-Applicationip-10-108-18-243 (i-004009051755596bb) - ld-pricing.logID:SOADevl-ems08.752D61D05D2DBE2E02:414null165700007BTP22_0111_B10165700007D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl021642014308933000000000020spitsi-acpt-log-heavy-49a6e8ba3-2c01-4b18-bbfb-88a854bbdb85a37801e4-dbe6-4c3a-bc26-17d1a78a0b28c9273wne
2022-01-12 06:05:27{"logGroup": "ldcs-devl-eb-06-webapp-Application", "logStream": "ip-10-108-18-243 (i-004009051755596bb) - ld-pricing.log", "aws_acctid": "189693026861", "aws_region": "us-east-1", "splunkdata": {"shard_id": "000000000020", "splkhf": "spitsi-acpt-log-heavy-4", "rvt": 1642014334358}, "lifecycle": "devl-shared", "aws_appshortname": "ldcs", "appcode": "FVV", "cwmessage": "2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS - Pricing Info ~ Pricing Hashcode: 1761264532 - Rules Hashcode: -1500207091 - uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 - sellerLoanIdentifier: BTP22_0111_B10 - poolIdentifier: null - investorCommitmentIdentifier: 116784 - sellerId: 165700007 ", "cwtimestamp": 1641996327000}1761264532-1500207091FVV189693026861ldcsus-east-1751b1112-0511-4dbd-b94c-a6409c23b20dLD-PRICING2022-01-12 14:05:27.035|[DefaultThreadPool-20] LD-PRICING-INFO c.f.l.pricing.mapper.DealSetsMapper STARTOFFIELDS|component=LD-PRICING|user_id=c9273wne|seller_id=165700007|session_id=D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl02|tran_id=751b1112-0511-4dbd-b94c-a6409c23b20d|batch_id=751b1112-0511-4dbd-b94c-a6409c23b20d|dealset_id=116784|execution_type=WholeLoan|loan_count=1|time=|messageId=ID:SOADevl-ems08.752D61D05D2DBE2E0A:457|ENDOFFIELDS + Pricing Info ~ Pricing Hashcode: 1761264532 + Rules Hashcode: -1500207091 + uniqueClientDealIdentifier: a37801e4-dbe6-4c3a-bc26-17d1a78a0b28 + sellerLoanIdentifier: BTP22_0111_B10 + poolIdentifier: null + investorCommitmentIdentifier: 116784 + sellerId: 1657000071641996327000116784WholeLoan116784devl-shared1ldcs-devl-eb-06-webapp-Applicationip-10-108-18-243 (i-004009051755596bb) - ld-pricing.logID:SOADevl-ems08.752D61D05D2DBE2E0A:457null165700007BTP22_0111_B10165700007D86C9BAF3F308C7838E4A52BC0DA0938.LDNG-UI-cl021642014334358000000000020spitsi-acpt-log-heavy-4751b1112-0511-4dbd-b94c-a6409c23b20da37801e4-dbe6-4c3a-bc26-17d1a78a0b28c9273wne
0 Karma
Reply
Solved! Jump to solution

srivenna
Engager
‎01-17-2022 07:31 AM

Yes! It helped. Perfectly communicated, and works so well.
Thank you!

 
 
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...