Hello, I am new too Splunk and am needing to split an Event at the Response Line. Below is an example of an Event. Request : August 17, 2021, 4:50 pm Data: {"requestNode":"Item","updatedBy":"W...
See more...
Hello, I am new too Splunk and am needing to split an Event at the Response Line. Below is an example of an Event. Request : August 17, 2021, 4:50 pm Data: {"requestNode":"Item","updatedBy":"WebServices_User","elements":{"typeOfItem":"Stock","country":"1",""baseUnitOfMeasure":"EA","IsItASerializedProduct":false,"currencyCode":"1","freezeCodeCorpLevel":98,"fractionalInventory":false,"isItADirectShippedProduct":false,"globalHold":false,"replacementCost":9.6,"productForm":"Non-Hazardous\/Transferrable","PrimaryVendor":"V9723","landedProduct":true,"standardCost":11.425,"status":"Inactive","priceGroup":"1N","invoiceCost":0,"listCost":11.99,"ueType":"Nursery","ueLine":"CNCO","ueDepartment":"EUONYMUS","taxCategory":"07"}} Response: {"success":false,"message":"No valid Item exists","code":"205"} The purpose is, I need to create Fields for each parameter in the Response Line, and with this line being a part of the Data portion of the Event, which has varying number of fields, we can't get the regex working. Support said we needed to break out the Response line, but wouldn't offer any recommendation on which line breaker I should be using. I've tried adding a BREAK_ONLY_BEFORE to the sourcetype in props.conf, but after a Splunk restart, we stop seeing events for this sourcetype. Below is what the sourcetype looks like in props.conf. [webservices_log-too_small] BREAK_ONLY_BEFORE = ^[a-zA-Z](?:[_-]?\w)*:\s+\{"[a-zA-Z](?:[_-]?\w)*": PREFIX_SOURCETYPE = True is_valid = True maxDist = 9999 Any help on this would be awesome, I really appreciate it. Thanks, Tom