How to extract Specific field and segregate the bu...

john_snow · ‎10-22-2020

I have logs coming from AWS,
first, I need to get just a message (which is an event) from the log
Second, in some logs, we have multiple messages inside log events,
How I can just show logEvents{}.message and segregate the messages from the logs?

Sample log is

{ [-]
   logEvents: [ [-]
     { [-]
       id: 123456789.....
       message: {"Actual Log Event"}
       timestamp: 1601177009988
     }
     { [-]
     }
   ]
   logGroup: CloudTrail
   logStream: 1234567890_CloudTrail_us-east-1
   messageType: DATA_MESSAGE
   owner:1234567890
   subscriptionFilters: [ [-]
   ]
}

ITWhisperer · ‎10-23-2020

| spath input=event logEvents{}.message

This assumes that event contains just the JSON format part of the log.

john_snow · ‎11-11-2020

How I can separate messages from the nested log like in the below log I wanted to separate each message in a log event. We can have single or multiple meesga in a LogEven

{ [-] 
   logEvents: [ [-] 
     { [-] 
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
     { [-]
       id: 123456789..... 
       message: {"Actual Log Event"} 
       timestamp: 1601177009988 
     } 
   ] 
   logGroup: CloudTrail 
   logStream: 1234567890_CloudTrail_us-east-1 
   messageType: DATA_MESSAGE 
   owner:1234567890 
   subscriptionFilters: [ [-]
   ] 
}

ITWhisperer · ‎11-12-2020

First extract logEvents{}, then extract message from those. Something like

| spath logEvents{} output=logEvents
| mvexpand logEvents
| spath input=logEvents message

You may need the mvexpand to separate out the different messages.

How to extract Specific field and segregate the bunched eventslogs

fields

regex

rex

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars

Are you a member of the Splunk Community?