Hi Folks,

I am attempting to look at some Splunk logs and within the JSON, I only care about 3 fields: cmd, vax, opcode. In this case, we want an alert to trigger any time a timeout occurs, and in the email, we want the manager to see which cmd, vax and opcode are associated with the timeout. Below is an example of a log:

[Fri Feb 26 10:07:29 2016] [error] [XoPolZO1CN2S8ubAvl7IoJ8tCF8] [2016-02-26,10:07:29.765] ServiceClient::Atlas: recv: {"header":{"result":"0x0","statmsg":"PASS","statcode":"0x0","cache":0,"mode":10,"quenum":"0x0","quewait":0,"querate":0,"sid":"XoPolZO1CN2S8ubAvl7IoJ8tCF8","bid":"rXUWZoJ7MwzAGQdrySIk8zhMwg0","cip":"192.168.57.220","token":"0000000208050005000042754239A8C000000000022C2AA2EFE9A793","uid":"SYSTEMCALL"},"command1":
{"cmd":"reclas_opens_holds","ref":null,"result":"0x0","resultcode":"0x0","vax":"CH2","opcode":"THE706","op_revision":24,"code_in_required":0,"error":"","details":
[{"id":"0","count":2,"result":0},{"id":"1","count":2,"result":0},{"id":"2","count":2,"result":0},
{"id":"3","count":3,"result":0},{"id":"4","count":2,"result":0},{"id":"5","count":4,"result":0},
{"id":"6","count":4,"result":0},{"id":"7","count":1,"result":0},{"id":"8","count":1,"result":0},
{"id":"9","count":3,"result":0},{"id":"10","count":2,"result":0},{"id":"11","count":4,"result":0},
{"id":"12","count":2,"result":0},{"id":"13","count":4,"result":0},{"id":"14","count":2,"result":0}]}}

Here is my search thus far, but it's not removing any of the fields. We are trying to make the report as readable as possible.

index=yma source="/apt/local/logs/error_log" AND "vax" AND "cmd" AND "opcode" | fields cmd, vax, opcode, error*