I have following events in splunk log
{ [-]
log: {"@timestamp":"2019-11-18T16:02:16.080-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [20191118-160215~0.txt, 20191118-160215~0.txt.gz, ~20191118-160215~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}
stream: stdout
time: 2019-11-19T00:02:16.08107067Z
}
{ [-]
log: {"@timestamp":"2019-11-19T04:06:07.008-08:00","@version":1,"message":"Processing Ended at 2019-11-19T04:06:07.008-08:00","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}
stream: stdout
time: 2019-11-19T12:06:07.008346529Z
}
{ [-]
log: {"@timestamp":"2019-11-16T16:00:00.658-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191116-160000~0.txt, 20191116-160000~0.txt.gz, 20191116-160000~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}
stream: stdout
time: 2019-11-17T00:00:00.658656167Z
}
{ [-]
log: {"@timestamp":"2019-11-15T16:00:00.565-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt, 20191115-160000~1.txt.gz, 20191115-160000~1.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}
stream: stdout
time: 2019-11-16T00:00:00.566173395Z
}
Now, I want to extract message,app_name,level from the log only when the message contains the string "Files Succesfully Moved To S3 Bucket". I already tried the following query:
index=d** source=S*** source=u** "Files Succesfully Moved To S3 Bucket" | table APP_NAME,level,message
but it doesn't returns anything.
... View more