I tried search in the community support section for something similar to my issue.
I am trying to parse a specific field which is actually in JSON format. Is there a way to parse out anything within the message section. Below is a sample.
Field name is errorMessage_Field and contains the info below:
{"level":"error","schema":{"loadingURI":"#","pointer":"/definitions/blah"},"instance":{"pointer":"/blah"},"domain":"validation","keyword":"required","message":"object has missing required properties ([\"presosBlahID\"])","required":["presosBlahID"],"missing":["presosBlahID"]}
Using the JSON entry above, im trying to show a table that just shows:
Count | Detailed Error Message
3 | Object has missing required properties: presosBlahID
I realize that using spath is the way to do it but i have not been successful.
index=index_name sourcetype="sourcetype_name errorMessage_Field="errorMessage earliest=-15h
| bucket span=1m _time
| stats count by errorMessage_Field
| fields count errorMessage_Field
| rename count AS "Error Count"
| rename errorMessage_Field AS "Detailed Error Message"
Any assistance is greatly appreciated.
Thanks!
↧