I am able to parse a field and extract it but I can't see how to bring more than one field out from the log further down.
Using this query...
fields @item29
| filter @message like /item29/
| parse @message '"item29\\\\\\":\\\\\"*\\\\\\' as @item29
I manage to get item29 out as a field but I don't know how to get out item29 and item35, I don't know how to combine the query to get both out.
This is the log...
{"time":"2024-03-26T16:58:59.907719615Z","log":"time=\"2024-03-26T16:58:59Z\" level=info msg=\"{\\\"item1\\\":\\\"45\\\",\\\"item2\\\":{\\\"item3\\\":\\\"12\\\",\\\"item4\\\":\\\"ASE\\\",\\\"item5\\\":\\\"ASE\\\"},\\\"item6\\\":[{\\\"item7\\\":0.00,\\\"item8\\\":\\\"THING\\\"},{\\\"item9\\\":0.00,\\\"item10\\\":\\\"THING2\\\"},{\\\"item11\\\":159,\\\"item12\\\":\\\"THING\\\"},{\\\"item13\\\":000,\\\"item14\\\":\\\"THING3\\\"}],\\\"item15\\\":[{\\\"item16\\\":000,\\\"item17\\\":null,\\\"item18\\\":null,\\\"item19\\\":\\\"THING\\\"}],\\\"item20\\\":0.00,\\\"item21\\\":0.00,\\\"item22\\\":{\\\"item23\\\":{\\\"item24\\\":0,\\\"item25\\\":\\\"OK\\\",\\\"item27\\\":\\\"0\\\"},\\\"item28\\\":null,\\\"item29\\\":\\\"16::1::56475::77::6565\\\",\\\"item30\\\":77,\\\"item31\\\":\\\"22514b75-eb92-11ee-a847-0a8814ce348e-C\\\",\\\"item32\\\":null,\\\"item33\\\":null,\\\"item34\\\":6769,\\\"item35\\\":\\\"16::1::67698::22514b75-e456-11ee-a847-7567-C::77\\\",\\\"item36\\\":null}}\"}
I tried the following...
fields @item29, @item35
| filter @message like /item29/
| parse @message '"item29\\\\\\":\\\\\"*\\\\\\' as @item29, '"item35\\\\\\":\\\\\"*\\\\\\' as @item35
Also tried...
fields @item29, @item35
| filter @message like /item29/
| parse @message '"item29\\\\\\":\\\\\"*\\\\\\, "item35\\\\\\":\\\\\"*\\\\\\' as @item29, @item35
I will really appreciate your help.
Could you try this
fields @item29, @item35
| filter @message like /item29/ and @message like /item35/
| parse @message '"item29":"*","item35":"*"' as @item29, @item35