By an unknown reason, I have to replace single quotes for double quotes in order to make a duplicate spath call.
"level" is a JSON field inside a JSON in message field.
* | spath message | eval message=replace(message,"'","\"") |spath input=message | search level=INFO
Got the tip from here https://answers.splunk.com/answers/444133/extract-json-from-a-field.html
... View more
Use Perf4J CSV log4j appender, and extract the contents with this:
... | rex field=_raw "\"(?<perf4jtag>.*)\",.*,.*,(?<avg>.*),(?<min>.*),(?<max>.*),(?<dev>.*),(?<count>.*)" | timechart avg(dev) by perf4jtag
... View more