@PickleRick Thank you for your response and patience.  ... View more

Thank you @yuanliu  Had to modify a little to make it work | rename log.message as _raw | rex mode=sed "s/errors=(.+) fields=(.+)/errors=\"\1\" fields=\"\2\"/" | rex field=_raw "path=(?P<path>.*) feedType=(?P<feedType>.*) sku=(?P<sku>.*) status=(?P<status>.*) errorCount=(?P<errorCount>.*) errors=(?P<errors>.*) fields=(?P<fields>.*)" | table path, feedType, sku, status, errorCount, errors, fields ... View more

I have not seen value with equal sign. I am open for suggestions to pick a better delimiter. There are some values with space. Would this be a problem? I can certainly improve the structure. comma-space is a multivalued field. There are two such fields. Of which, I would need to compute high frequency value at a later stage. I can modify multivalued field [list of data] to something like this  https://www.splunk.com/en_us/blog/tips-and-tricks/delimiter-base-kv-extraction-advanced.html?locale=en_us  FIELDS= "time", "client-ip", "cs-method", "sc-status" @PickleRick Let me know the if there are any changes to be make to log.message to make it "full-preg" so that Splunk can deliver 😉          ... View more

Here is the sample log.    {"cluster_id":"cluster","kubernetes":{"host":"host","labels":{"app":"app","version":"v1"},"namespace_name":"namespace","pod_name":"pod},"log":{"App":"app_name","Env":"stg","LogType":"Application","contextMap":{},"endOfBatch":false,"level":"INFO","loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","loggerName":"com.x.x.x.X","message":"Json path=/path feed=NAME sku=SKU_NAME status=failed errorCount=3 errors=ERROR_1, ERROR_2, MORE_ERROR_3 fields=Field 1, Field 2, More Fields Here","source":{"class":"com.x.x.x.X","file":"X.java","line":1,"method":"s"},"thread":"http-apr-8080-exec-4","threadId":1377,"threadPriority":5,"timeMillis":1727978156925},"time":"2024-10-03T17:55:56.925335046Z"}   Expected output from field message path feed sku status errorCount errors fields   /path Name SKU_NAME failed 3 ERROR_1, ERROR_2, MORE_ERROR_3 Field 1,Field 2,More Fields Here       If data within message field is ugly, I am willing to modify. But I assume, it will be treated as raw data and will not be treated as field @PickleRick   ---  This seems to work when  these regex are removed errors=(?P<errors>[^,]+) fields=(?P<fields>[^,]+) How do I fix errors and fields. Whereas when tested on  https://pythex.org/  it works index=item-interface "kubernetes.namespace_name"="namespace" "cluster_id":"*stage*" "Env":"stg" "loggerName":"com.x.x.x.X" "Json path=/validate feedType=" "log.level"=INFO | rename log.message as _raw | rex field=_raw "Json path=(?P<path>\/\w+) feedType=(?P<feedType>\w+) sku=(?P<sku>\w+) status=(?P<status>\w+) errorCount=(?P<errorCount>\w+) errors=(?P<errors>[^,]+) fields=(?P<fields>[^,]+)" | table path, feedType, sku, status, errorCount, errors, fields   ... View more

This is the query I have figured out from awesome Splunk community    index=my-index "kubernetes.namespace_name"="namus" "cluster_id":"*stage*" "Env":"stg" "loggerName":"com.x.x.x.SomeClass" "My simple query for key=" "log.level"=INFO | spath output=x log.message | rex max_match=0 field=x "(?<key>\w+)=(?<value>\w+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | table key value | eval dummy="" | xyseries dummy key value | fields - dummy   Which results in this output. I am missing lot of data. Can someone show how to list all the rows found. What is that I am missing here?  ... View more