I am using ingest action to filter the log message before being indexed in splunk.. I want to include the message that matches only the keyword :ERROR: and :FATAL: rest all of the messages should not be indexed. Whereas in splunk ingest action has the filter to only exclude message not the include ... View more

i have all the below messages in the "response" field. {"errors": ["Message: Payment failed. Reason: Hi, we attempted to process the transaction but it seems there was an error. Please check your information and try again. If the problem persists please contact your bank."]} {"errors": ["Unable to retrieve User Profile with sub '2415d' as it does not exist"]} {"errors": ["Unable to retrieve User Profile with sub 'dfadf' as it does not exist"]} {"errors": ["Unable to retrieve User Profile with sub 'fdsgad' as it does not exist"]} {"errors": ["Unallocated LRW seat not found with product id fdafdsaddsfa and start datetime utc 2024-01-06T05:30:00+00:00 and test location id dfafdfa"]} {"errors": ["Unallocated LRW seat not found with product id sfgdfa and start datetime utc 2024-01-06T05:30:00+00:00 and test location id dsfadfsa"]} I wanted to display the result with the count as  Message: Payment failed. Reason: Hi, we attempted to process the transaction but it seems there was an error. Please check your information and try again. If the problem persists please contact your bank. Unable to retrieve User Profile with sub '***' as it does not exist Unallocated LRW seat not found with product id *** and start datetime utc 2024-01-06T05:30:00+00:00 and test location id *** ... View more

index="********" message_type =ERROR correlation_id="*" | eval err_field1 = spath(_raw,"response_details.body") | eval err_field2 = spath(_raw,"response_details") | eval err_field3 = spath(_raw,"error") | eval err_field4 = spath(_raw,"message") | eval err_final=coalesce(err_field1,err_field2,err_field3,err_field4) | table err_field1 err_field2 err_field3 err_field4 err_final i have the fields populating for err_field3 and err_field4.. but its not populating in the err_final. Attached the screenshot for reference ... View more

Hi,  I am getting the below error when i'm trying to configure the Webhook alert to post in Microsoft Teams.   12-19-2023 11:57:56.700 +0000 ERROR sendmodalert [292254 AlertNotifierWorker-0] - action=webhook STDERR - Error sending webhook request: HTTP Error 400: Bad Request   12-19-2023 11:57:56.710 +0000 INFO sendmodalert [292254 AlertNotifierWorker-0] - action=webhook - Alert action script completed in duration=706 ms with exit code=2   12-19-2023 11:57:56.710 +0000 WARN sendmodalert [292254 AlertNotifierWorker-0] - action=webhook - Alert action script returned error code=2 ... View more

I have two different logs where the error is capturing in different fields in each log message...(error_message and error_response) I have to capture the error_message and error_response without dropping the other logs.? Log 1 : message:"Lambda execution: exit with failure", message_type:"ERROR", error_message:"error reason update" Log 2 : message:"Lambda execution: exit with failure", message_type:"ERROR", error_response:"updated error reason" Expected Output : Error                                                   count 1. error reason update                  1 2. updated error reason                1 ... View more

\"message\": \"Invalid Application ID\", \"messages\": null, \"error_response\": null, Need to extract the above message field without dropping other log messages. Like Nodrop option  ... View more