Hi Everyone Sample logs: {"kubernetes":{"container_name":"sign-template-services","namespace_name":"merch-ps-signs-stress-1","pod_name":"sign-template-services-14-chfbn"},"message":"::ffff:100.65.19.1 - - [05-Mar-2020 09:58:48 CST] \"GET /health HTTP/1.1\" 200 30 - **7.807** ms\n","hostname":"ocp-usc1-lle-b-app-f-g3q9.c.kohls-openshift-lle.internal","@timestamp":"2020-03-05T15:58:48.231999+00:00","cluster_name":"ocp.gcpusc1-b.lle.xpaas"} {"kubernetes":{"container_name":"sign-template-services","namespace_name":"merch-ps-signs-ci","pod_name":"sign-template-services-39-gb69d"},"message":"::ffff:100.109.92.1 - - [05-Mar-2020 09:57:31 CST] \"GET /health HTTP/1.1\" 200 30 - **33.245** ms\n","hostname":"ocp-usc1-lle-c-app-f-7ml9.c.kohls-openshift-lle.internal","@timestamp":"2020-03-05T15:57:31.808739+00:00","cluster_name":"ocp.gcpusc1-c.lle.xpaas"} We need to extract a field called "Response_Time" which is highlighted in these logs. The data is available in the field "message". I have tried the below regex but it does not seem to work. index=kohls_prod_infrastructure_openshift_raw kubernetes.container_name=sign-template-services | rex field=MESSAGE "\d{3} d{2} - (?\d+) ms\"" Please help! Thanks. ... View more

I need to extract "internal-blue-ocf" as namespace and "stress-b.aps.gc1-b.lle.ocf.xxx.com" as service using rex from the below data. The condition for the fields should be like, 1) namespace: content between http:// and -oic 2) service: content should start after oic- and ends at .com MESSAGE: 2019-12-05 04:04:42, Environment=OIC STRESS B, Service=, Status=000, Response_Time=0.000, Endpoint=http://internal-blue-ocf-oic-stress-b.aps.gc1-b.lle.ocf.xxx.com/oic/ The rex should be used on field called MESSAGE. Please help! ... View more

I am trying to extract fields Environment and Service with below search and receiving the error 'SearchParser': Missing a search command before '^'. I got the rex command from Splunk field extractor screen, however, this error comes up in the search window. index=*** base search | rex field=message "^[^\\\n]*\\"(?P<Environment>[^\\]+)[^=\n]*=\\"(?P<Service>[^\\]+)" Sample event: { "__CURSOR" : "s=ccf7ccd2666b481c880c3a36c2d0d504;i=71c1b4;b=423aef85e8a745d785e26ea9b1611d92;m=9cd3993341;t=598cb4887fb24;x=29d41973a54be13c", "__REALTIME_TIMESTAMP" : "1575373746207524", "__MONOTONIC_TIMESTAMP" : "673564930881", "_BOOT_ID" : "423aef85e8a745d785e26ea9b1611d92", "_UID" : "0", "_GID" : "0", "_CAP_EFFECTIVE" : "1fffffffff", "_SYSTEMD_SLICE" : "system.slice", "_MACHINE_ID" : "6be70c13152f40488b5f3b3847dc2bd0", "_HOSTNAME" : "ocf-splunk-nonprod-linux-1", "_TRANSPORT" : "stdout", "PRIORITY" : "6", "_STREAM_ID" : "f5dbc3d1330f4783bf0586cfaad9a4fc", "SYSLOG_IDENTIFIER" : "polling_url.sh", "_PID" : "2345", "_COMM" : "cat", "_EXE" : "/usr/bin/cat", "_CMDLINE" : "/bin/cat", "_AUDIT_SESSION" : "8872", "_AUDIT_LOGINUID" : "0", "_SYSTEMD_CGROUP" : "/system.slice/crond.service", "_SYSTEMD_UNIT" : "crond.service", "MESSAGE" : "2019-12-03 05:49:05, Environment=\"OTS STRESS(CDC)\", Service=\"services-orderdetails-stress.apps.cdc-b.lle.xpaas.kohls\", WSDL_Service=\"KohlsOrderService\", Status=404, Response_Time=0.244, Endpoint=\"https://oms-services-orderdetails-stress.apps.cdc-b.lle.xpaas.kohls.com/ots_orderstatus/KohlsOrderService?wsdl\"" } ... View more