Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract json from event if the event contains the string

karthi25
Path Finder
‎11-19-2019 04:43 AM

I have following events in splunk log

{ [-]
   log: {"@timestamp":"2019-11-18T16:02:16.080-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [20191118-160215~0.txt,  20191118-160215~0.txt.gz, ~20191118-160215~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T00:02:16.08107067Z
}
{ [-]
   log: {"@timestamp":"2019-11-19T04:06:07.008-08:00","@version":1,"message":"Processing Ended at 2019-11-19T04:06:07.008-08:00","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T12:06:07.008346529Z
}

{ [-]
   log: {"@timestamp":"2019-11-16T16:00:00.658-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191116-160000~0.txt,  20191116-160000~0.txt.gz,  20191116-160000~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-17T00:00:00.658656167Z
}

{ [-]
   log: {"@timestamp":"2019-11-15T16:00:00.565-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-16T00:00:00.566173395Z
}

Now, I want to extract message,app_name,level from the log only when the message contains the string "Files Succesfully Moved To S3 Bucket".
I already tried the following query:

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" | table APP_NAME,level,message

but it doesn't returns anything.

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎11-20-2019 03:46 PM

Try this:

 index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket"
| rename log AS _raw
| kv
| table APP_NAME,level,message
0 Karma
Reply

to4kawa
Ultra Champion
‎11-19-2019 05:22 PM 
| makeresults 
| eval _raw=" { 
    \"log\": {\"@timestamp\": \"2019-11-15T16:00:00.565-08:00\",
    \"@version\": 1,
    \"message\": \"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]\",
    \"logger_name\": \"FileGenerator\",
    \"thread_name\": \"scheduling-1\",
    \"level\": \"INFO\",
    \"level_value\": 20000,
    \"APP_NAME\": \"schedule\"},
    \"stream\": \"stdout\",
    \"time\": \"2019-11-16T00:00:00.566173395Z\"
 }" 
| spath

Hi, As you can see from the example, the field names are different.

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" 
| table log.APP_NAME, log.level, log.message

How about it?

0 Karma
Reply

aberkow
Builder
‎11-19-2019 04:52 PM

If they're all in the form of "message":"Files Successfully Moved to S3 Bucket*", have you tried that as your search clause?

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...