So we have are pulling host logs on an EC2 instance and dropping them in an S3 Bucket. Our Splunk Heavy Forwarder is grabbing the logs and pushing them to Splunk Cloud. As we can easily pull the JSON log files into Splunk, there is one specific field inside the JSON document that we want to extract and push to another index.
{"message":"type=NETFILTER_CFG msg=audit(1491557469.510:18655): table=nat family=2 entries=146","@version":"1","@timestamp":"2017-04-07T09:31:09.880Z","path":"/systemlogs/audit/audit.log","host":"generichost","tags":["auditd"],"aws_region":"us-east-1","prod_status":"lalaland","aws_az":"us-east-1a","kluster_name":"klustername","kluster_prefix":"klust-pre","service_name":"audit","service_log":"audit"}
What I am trying to do is to extract only the "message" and ship it another index called aws_auditd
"message":"type=NETFILTER_CFG msg=audit(1491557469.510:18655): table=nat family=2 entries=146"
The regex that I have found for it is:
(\"message\":)\"([^\,}]*)\"
but I have no idea how to perform the function. Can someone advise me?
... View more