I have splitted my mixed log which contains both text and json to table .
For reference I have queried it as a table as shown below:
and used the below query to extract the fields like splunkId,processId, processLogId
index=****source=**** | sort -time | fields _time _raw
| eval data = replace(_raw,"}\n{","Processed SplunkLogger") | eval data = replace(data,"{"," ")
| eval data = replace(data,"}"," ") | eval data = split(data,"Processed SplunkLogger")
| where like(data, "%levelIndicator='****'%") | mvexpand data | eval _raw=data | table splunkId,processId, processLogId
But it doesn't returns anything, Can anyone please help me out with it.
... View more