How can I extract required data from logs into custom fields using a splunk query?
I have tried multiple queries using rex command to extract certain part of the data from logs in to some custom fields, but I never see those in the output where splunk shows all the output fields.
For Example: If following is the data in the logs
student : {"firstName":"Barry", "lastName":"Allen", "city":"Central City", "address":"xyz"}
student : {"firstName":"Oliver", "lastName":"Queen", "city":"Starling City", "address":"abc"}
student : {"firstName":"Wally", "lastName":"West", "city":"Central City", "address":"mno"}
I want to extract all the cities into the field "StudentCity". Is it possible to show only a list of student Name and cities in the output?
I am trying the following
"student " | rex field=_raw "StudentCity:(?<city>\"city\"\:.*)"
I want this to ouput a table with StudentCity as column name. If I can get such an output, I can then run other stats like counting students belonging to particular city, etc..
Please suggest.
