how do i access a field that is not listed?

dgonzales999 · ‎05-29-2014

How do I access "processing_time" from the data below. I want to get the average time. It is not listed as a field.
{"@type":"log:LogIncomingRequestEvent","level":"INFO","when":"2014-05-29 16:04:06,459","method":"LogFilter.logIncomingRequest#156","thread":"http-bio-8087-exec-4","init_tid":"b0507da3-6687-4028-8fe2-8c98c92b783d","request":{ "@type":"log:IncomingRequest", "client_ip":"pqal.corp.net","http_method":"POST","url":"/mms/v1/transfers","user_agent":"Apache-HttpClient/4.3.2 (java 1.5)","processing_time":137},"msg":"OK"}

stefandagerman · ‎05-29-2014

Can you not set KV_MODE=JSON (your event looks like it is valid JSON) in props.conf for the sourcetype and let Splunk do the work for you?
props.conf docs

somesoni2 · ‎05-30-2014

It is a valid json, validated from http://jsonlint.com/. Once you import the data with KV_MODE=JSON, you should be able to see fields like 'request.processing_time' and then you can use 'stats' command to get the average.

grijhwani · ‎05-29-2014

Easiest way is to use the field extractor tool.

Generate a search that contains it then select the drop-down next to one of the presented records, and select "field extractor".

http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/ExtractfieldsinteractivelywithIFX

how do i access a field that is not listed?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor