Splunk Search

Few parts of JSON logs as separate fields and remaining as events

sarnagar
Contributor

Hi All,
I have JSON Logs like below:
alt text

SAMPLE EVENT:
{ [-]
line: 2016-10-21 19:16:00 INFO [CollectorAccess] Updating peer collector list: [172.17.0.6:9998, 172.18.0.3:9998|dynatrace_collector_dev-wlp_wlp.8.9of6d5ylz2g8yc22wioksjhek.ingress:9998|10.255.0.13:9998|10.255.0.15:9998, 10.255.0.20:9998|172.18.0.4:9998|dynatrace_collector_dev-wlp_wlp.5.04w8s09obp9pwe2mu1s9elq7i.ingress:9998|10.255.0.13:9998, 172.17.0.9:9998, 172.17.0.3:9998, 172.18.0.3:9998|dynatrace_collector_dev-wlp_wlp.1.0bs4sokp2fpkkz0nfh4mo4xsc.ingress:9998|10.255.0.13:9998|10.255.0.16:9998, 172.17.0.8:9998, dynatrace_collector_dev-wlp_wlp.7.3hvzd4e5b5zdby4blgu1v8rm8.ingress:9998|172.18.0.4:9998|10.255.0.13:9998|10.255.0.22:9998, dynatrace_collector_dev-wlp_wlp.6.5huzo8ot2fnzavm9ji5it4p9d.ingress:9998|172.18.0.4:9998|10.255.0.13:9998|10.255.0.21:9998, 172.17.0.5:9998, 172.17.0.7:9998, 172.18.0.3:9998|10.255.0.13:9998|10.255.0.17:9998|dynatrace_collector_dev-wlp_wlp.2.5a4bbjtne3hxm3i3f0a0xj7lv.ingress:9998, 10.255.0.18:9998|172.18.0.3:9998|dynatrace_collector_dev-wlp_wlp.3.4tr7zjjhgqqtn0fh9hd0l7qoo.ingress:9998|10.255.0.13:9998, 172.17.0.4:9998, 10.255.0.19:9998|172.18.0.3:9998|dynatrace_collector_dev-wlp_wlp.4.ep9fshp8i94rdz7p7cpwi9v77.ingress:9998|10.255.0.13:9998]
source: stdout
tag: itec-artifactory.fmr.com:6555/com.fmr.pl000123.ezpaas.ezpaas-dynatrace-collector:6.3-11/Dynatrace_Collector_DEV-WLP_WLP.7.3hvzd4e5b5zdby4blgu1v8rm8/5125046f7489

}

I WANT TO MODIFY THE LAST ITALICISED LINE IN ABOVE EVENT TO SOMETHING LIKE BELOW : ( CHANGES HIGHLIGHTED AS BOLD)
source=stdout,
container-image=itec-artifactory.fmr.com:6555/com.fmr.pl000123.ezpaas.ezpaas-dynatrace-collector:6.3-11,container-service=Dynatrace_Collector_DEV-WLP_WLP.7.3hvzd4e5b5zdby4blgu1v8rm8,container-id=5125046f7489

Basically I want to create field value pairs from the events and also modify its appearance in the UI.

How can I achieve this??

Tags (1)
0 Karma

sundareshr
Legend

Try this

base search | eval s=split(tag, "/") | eval container_image=mvindex(s, 0) | eval container_service=mvindex(s, 1) | eval container_id=mvindex(s, -1)

*OR*

base search | rex field=tag "(?<container_image>[^\/]+)\/(?<container_service>[^\/]+)\/(?<container_id>.+)" | table container_*
0 Karma

hardikJsheth
Motivator

If you are using heavyforwarder, keep all the settings on Forwarder only. Can you put your transforms on Heavyforwarder and try?

0 Karma

sarnagar
Contributor

Hi @hardikJsheth,

I did that but it didn't help 😞
Is there a way to extract fields from the extracted field tag like below??
container-image=itec-artifactory.fmr.com:6555/com.fmr.pl000123.ezpaas.ezpaas-dynatrace-collector:6.3-11,container-service=Dynatrace_Collector_DEV-WLP_WLP.7.3hvzd4e5b5zdby4blgu1v8rm8,container-id=5125046f7489

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...