Do you mean to say that a string like "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}" is at the beginning of raw event? If so, you will need to f...
See more...
Do you mean to say that a string like "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}" is at the beginning of raw event? If so, you will need to first extract the part with compliant JSON. (It is also a very bad log pattern from your developer.) You can do so with | eval json = replace(_raw, "^{.+}", "") (Actual method will depend on how raw logs are structure, how stable such a structure is, etc.) Then, apply spath. | eval json = replace(_raw, "^{.+}", "")
| spath input=json Alternatively, get rid of the spurious part from _raw then spath. | rex mode=sed "s/^{.+}//"
| spath Here is an emulation you can play with and compare with real data | makeresults
| fields - _time
| eval _raw = "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}
{
\"correlationId\": \"3-f0d89f31-6c3c-11ee-8502-123c53e78683\",
\"message\": \"API Request\",
\"tracePoint\": \"START\",
\"priority\": \"INFO\",
\"category\": \"com.cfl.api.service\",
\"elapsed\": 0,
\"timestamp\": \"2023-10-16T15:59:09.051Z\",
\"content\": {
\"clientId\": \"\",
\"attributes\": {
\"headers\": {
\"accept-encoding\": \"gzip,deflate\",
\"content-type\": \"application/json\",
\"content-length\": \"92\",
\"host\": \"hr-fin.svr.com\",
\"connection\": \"Keep-Alive\",
\"user-agent\": \"Apache-HttpClient/4.5.5 (Java/16.0.2)\"
},
\"clientCertificate\": null,
\"method\": \"POST\",
\"scheme\": \"https\",
\"queryParams\": {},
\"requestUri\": \"/cfl-service-api/api/process\",
\"queryString\": \"\",
\"version\": \"HTTP/1.1\",
\"maskedRequestPath\": \"/api/queue/send\",
\"listenerPath\": \"/cfl-service-api/api/*\",
\"localAddress\": \"/localhost:8082\",
\"relativePath\": \"/cfl-service-api/api/process\",
\"uriParams\": {},
\"rawRequestUri\": \"/cfl-service-api/api/process\",
\"rawRequestPath\": \"/cfl-service-api/api/process\",
\"remoteAddress\": \"/123.123.123.123:123\",
\"requestPath\": \"/cfl-service-api/api/process\"
}
},
\"applicationName\": \"cfl-service-api\",
\"applicationVersion\": \"6132\",
\"environment\": \"dev\",
\"threadName\": \"[cfl-service-api].proxy.BLOCKING @78f55ba\"
}"
``` data emulation above ```