Splunk Enterprise

Extract json from event if the event contains the string

karthi25
Path Finder

I have following events in splunk log

{ [-]
   log: {"@timestamp":"2019-11-18T16:02:16.080-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [20191118-160215~0.txt,  20191118-160215~0.txt.gz, ~20191118-160215~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T00:02:16.08107067Z
}
{ [-]
   log: {"@timestamp":"2019-11-19T04:06:07.008-08:00","@version":1,"message":"Processing Ended at 2019-11-19T04:06:07.008-08:00","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-19T12:06:07.008346529Z
}

{ [-]
   log: {"@timestamp":"2019-11-16T16:00:00.658-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191116-160000~0.txt,  20191116-160000~0.txt.gz,  20191116-160000~0.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-17T00:00:00.658656167Z
}

{ [-]
   log: {"@timestamp":"2019-11-15T16:00:00.565-08:00","@version":1,"message":"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]","logger_name":"FileGenerator","thread_name":"scheduling-1","level":"INFO","level_value":20000,"APP_NAME":"schedule"}

   stream: stdout
   time: 2019-11-16T00:00:00.566173395Z
}

Now, I want to extract message,app_name,level from the log only when the message contains the string "Files Succesfully Moved To S3 Bucket".
I already tried the following query:

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" | table APP_NAME,level,message

but it doesn't returns anything.

Labels (1)
0 Karma

woodcock
Esteemed Legend

Try this:

 index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket"
| rename log AS _raw
| kv
| table APP_NAME,level,message
0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw=" { 
    \"log\": {\"@timestamp\": \"2019-11-15T16:00:00.565-08:00\",
    \"@version\": 1,
    \"message\": \"Files Succesfully Moved To S3 Bucket [ 20191115-160000~1.txt,  20191115-160000~1.txt.gz,  20191115-160000~1.txt.gz.done]\",
    \"logger_name\": \"FileGenerator\",
    \"thread_name\": \"scheduling-1\",
    \"level\": \"INFO\",
    \"level_value\": 20000,
    \"APP_NAME\": \"schedule\"},
    \"stream\": \"stdout\",
    \"time\": \"2019-11-16T00:00:00.566173395Z\"
 }" 
| spath

Hi, As you can see from the example, the field names are different.

index=d** source=S***  source=u** "Files Succesfully Moved To S3 Bucket" 
| table log.APP_NAME, log.level, log.message

How about it?

0 Karma

aberkow
Builder

If they're all in the form of "message":"Files Successfully Moved to S3 Bucket*", have you tried that as your search clause?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...