Re: Is there any possibility to split the value fr...

JGP · ‎04-04-2023

is there any possibility to split the value from the message field, like teamName, ID as a different field.

JGP · ‎04-10-2023

any recommendations? we need those extracted fields to be come under the event details same like below message , namespace_id , namespace_name , .....?

yeahnah · ‎04-10-2023

Hi @JGP

It's a little ugly but since the message field looks to be valid JSON, you could do this...

...
  ``` backup event then rename message field to _raw ```
| eval raw=_raw | rename message AS _raw  
| extract    ``` extract the json from _raw - n.b. it only works on _raw field ```
  ``` rename _raw back to message, reset _raw event back to original and remove copy ```
| rename _raw AS message | eval _raw=raw | fields - raw

Not sure how well it scales on big data sets.

Anyway, hope it helps

JGP · ‎04-06-2023

by any chance if we extract field "teamName", "ID " with the rex command can come under the event that pasted in the original post just like under message , namespace_id , namespace_name , .....?

JGP · ‎04-04-2023

where to find the button?

sample event for ref.

appid: 111111
cluster: abcdefgh
container_id: c44444444444444444444455555555555566666
container_image: docker-dev-local.artifactrepository.**************.net/*********-project-111111/********************:master-55-c3444444
container_image_id: docker-dev-local.artifactrepository.********.net/*********-project-111111/******@s*************************
container_name: ecs-***************
environment: dev
hosting_env: *******
hostname: app-14.********.ecs.*******
level: debug
log_type: app_containers
logroute: *******************
message: {"timestamp":"2023-03-30T12:29:51.684Z","msg":"REQUEST DATA : GET /generic/healthcheck, client=1.1.1.1]","logClass":"org.springframework.web.filter.CommonsRequestLoggingFilter","threadID":"http-nio-9099-exec-9","logLevel":"DEBUG","ID":"111111","teamName":"SL"}
namespace_id: 00000000000000000000000000000
namespace_name: ************************
openshift: { [+]
}
ose_workload: dev
pod_id: 1111111111111111111111111
pod_ip: 11.11.11.111
pod_name: **********************
sector: *******
timestamp: 2023-03-30T12:29:51.684743385+00:00

Icecream123 · ‎04-04-2023

Hi,

You can try to perform regex on the field to get the required values from the field. The below if a sample regex to extract the loglevel or teamName or ID. (need to optimize further accordingly.)

|rex field=_raw ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>\S*)","teamName":"(?<teamname>\w*)"

If the message field is already extracted you can try:

|rex field=message ""logLevel":"(?<loglevel>\S*)","ID":"(?<ID>111111)","teamName":"(?<teamname>\w*)"

Hope this is what you are looking to do!

ITWhisperer · ‎04-04-2023

| spath message
| spath input=message

gcusello · ‎04-04-2023

Hi @JGP,

yes it's possible but I need a sample of the event in text format, not screenshot, highlighting the fields to extract.

Put the samples using "Insert Edit Code Sample" button.

Ciao.

Giuseppe

Is there any possibility to split the value from the message field, like teamName, ID as a different field?

field extraction

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!