Re: How to extract Specific field and segregate th...

john_snow · ‎10-22-2020

I have logs coming from AWS,
first, I need to get just a message (which is an event) from the log
Second, in some logs, we have multiple messages inside log events,
How I can just show logEvents{}.message and segregate the messages from the logs?

Sample log is

{ [-]
   logEvents: [ [-]
     { [-]
       id: 123456789.....
       message: {"Actual Log Event"}
       timestamp: 1601177009988
     }
     { [-]
     }
   ]
   logGroup: CloudTrail
   logStream: 1234567890_CloudTrail_us-east-1
   messageType: DATA_MESSAGE
   owner:1234567890
   subscriptionFilters: [ [-]
   ]
}

ITWhisperer · ‎10-23-2020

| spath input=event logEvents{}.message

This assumes that event contains just the JSON format part of the log.

john_snow · ‎11-11-2020

How I can separate messages from the nested log like in the below log I wanted to separate each message in a log event. We can have single or multiple meesga in a LogEven

{ [-] 
   logEvents: [ [-] 
     { [-] 
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
     { [-]
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
   ] 
   logGroup: CloudTrail 
   logStream: 1234567890_CloudTrail_us-east-1 
   messageType: DATA_MESSAGE 
   owner:1234567890 
   subscriptionFilters: [ [-]
   ] 
}

ITWhisperer · ‎11-12-2020

First extract logEvents{}, then extract message from those. Something like

| spath logEvents{} output=logEvents
| mvexpand logEvents
| spath input=logEvents message

You may need the mvexpand to separate out the different messages.

How to extract Specific field and segregate the bunched eventslogs

fields

regex

rex

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?