(Note: When giving sample data, use the code box.) Your log mixes plain text with structured JSON. So, the first task is to extract the JSON piece, then extract from JSON using spath. | rex "DN...
See more...
(Note: When giving sample data, use the code box.) Your log mixes plain text with structured JSON. So, the first task is to extract the JSON piece, then extract from JSON using spath. | rex "DNAC (?<json_msg>{.+})"
| spath input=json_msg description from your sample data will contain this value description Executing command terminal width 0 config t Failed to fetch the preview commands. Here is an emulation of your sample data. Play with it and compare with real data | makeresults
| eval _raw = "Oct 22 14:20:45 10.5.0.200 DNAC {\"version\":\"1.0.0\",\"instanceId\":\"20fd8163-4ca8-424b-a5a9-1e4018372abb\",\"eventId\":\"AUDIT_LOG_EVENT\",\"namespace\":\"AUDIT_LOG\",\"name\":\"AUDIT_LOG\",\"description\":\"Executing command terminal width 0\\nconfig t\\nFailed to fetch the preview commands.\\n\",\"type\":\"AUDIT_LOG\",\"category\":\"INFO\",\"domain\":\"Audit\",\"subDomain\":\"\",\"severity\":1,\"source\":\"NA\",\"timestamp\":1729606845043,\"details\":{\"requestPayloadDescriptor\":\"terminal width 0\\nconfig t\\nFailed to fetch the preview commands.\\n\",\"requestPayload\":\"\\n\"},\"ciscoDnaEventLink\":null,\"note\":null,\"tntId\":\"630db6e989269c11640abd49\",\"context\":null,\"userId\":\"system\",\"i18n\":null,\"eventHierarchy\":{\"hierarchy\":\"20fd8163-4ca8-424b-a5a9-1e4018372abb\",\"hierarchyDelimiter\":\".\"},\"message\":null,\"messageParams\":null,\"additionalDetails\":{\"eventMetadata\":{\"auditLogMetadata\":{\"type\":\"CLI\",\"version\":\"1.0.0\"}}},\"parentInstanceId\":\"9dde297d-845e-40d0-aeb0-a11e141f95b5\",\"network\":{\"siteId\":\"\",\"deviceId\":\"10.7.140.2\"},\"isSimulated\":false,\"startTime\":1729606845055,\"dnacIP\":\"10.5.0.200\",\"tenantId\":\"SYS0\"}"
``` data emulation above ```