Data illustration could have saved everybody a ton of time reading your mind. The solution is the same as I suggested earlier: kv aka extract is your friend. But first, let me correct JSON error in...
See more...
Data illustration could have saved everybody a ton of time reading your mind. The solution is the same as I suggested earlier: kv aka extract is your friend. But first, let me correct JSON error in your mock data: {"cluster_id":"cluster","kubernetes":{"host":"host","labels":{"app":"app","version":"v1"},"namespace_name":"namespace","pod_name":"pod"},"log":{"App":"app_name","Env":"stg","LogType":"Application","contextMap":{},"endOfBatch":false,"level":"INFO","loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","loggerName":"com.x.x.x.X","message":"Json path=/path feed=NAME sku=SKU_NAME status=failed errorCount=3 errors=ERROR_1, ERROR_2, MORE_ERROR_3 fields=Field 1, Field 2, More Fields Here"}} Now this is a compliant JSON. Second, are you saying that your developers are so inconsiderate as to not properly quote key value pairs? Like I said earlier, in this case, you need to deal with them first. The best route is to implore them to improve log hygiene. Failing that, you can deal with them in a limited way using SPL. The following depends on the order of errors and fields. The field message is actually named log.message in Splunk. (Many other languages flatten JSON this way, too.) | rename log.message as _raw
| rex mode=sed "s/errors=(.+) fields=(.+)/errors=\"\1\" fields=\"\2\"/"
| kv
| table path feed sku status errorCount errors fields Output is path feed sku status errorCount errors fields /path NAME SKU_NAME failed 3 ERROR_1, ERROR_2, MORE_ERROR_3 Field 1, Field 2, More Fields Here Here is full emulation of your mock data. Play with it and compare with real data. | makeresults
| eval _raw ="{\"cluster_id\":\"cluster\",\"kubernetes\":{\"host\":\"host\",\"labels\":{\"app\":\"app\",\"version\":\"v1\"},\"namespace_name\":\"namespace\",\"pod_name\":\"pod\"},\"log\":{\"App\":\"app_name\",\"Env\":\"stg\",\"LogType\":\"Application\",\"contextMap\":{},\"endOfBatch\":false,\"level\":\"INFO\",\"loggerFqcn\":\"org.apache.logging.log4j.spi.AbstractLogger\",\"loggerName\":\"com.x.x.x.X\",\"message\":\"Json path=/path feed=NAME sku=SKU_NAME status=failed errorCount=3 errors=ERROR_1, ERROR_2, MORE_ERROR_3 fields=Field 1, Field 2, More Fields Here\"}}"
| spath
``` data emulation above ```