I have log in Splunk which contains a message in a sequence order
"message":" ---Abroad country is good COUNTRYID - GERMAN9876-er4-22"
"message":" ---Abroad country is good COUNTRYID - GERMAN9876-er4-23"
"message":" ---Abroad country is good COUNTRYID - GERMAN9876-er4-24"
I want to create a table in Splunk dashboard to view using Splunk query with these columns list all the case numbers with the details
COUNTRYID
GERMAN9876-er4-22
GERMAN9876-er4-23
GERMAN9876-er4-24
I am very new in splunk can someone guide how to start to build where to look for the thing. Any hint or demo will work. Thank you
You will need to use rex to isolate the desired field:
index=<your search>
| rex "\"message\":\" ---Abroad country is good COUNTRYID - (?<CountryID>[\w-]+)\""
| table CountryID
The above is untested.