Adding custom fields to splunk query

Question

In my java application, I have added some data to the logs, which then show up in splunk as:

{
    ....
    "duration":"200",
    "methodName":"testMethod",
    "className":"com.test.TestClass",
    ....
}

Currently, if I have to search for these fields, I need to add something like following to filter query:

log=\*"methodName":"testMethod"*

Is there a way to add these custom fields to filter query, so that I can have in my query like:

methodName="testMethod"

And then I also need to use this data to generate charts and visualizations.

Simon Duff Simon Duff · Accepted Answer · 2020-07-22T09:19:21

If the data is in JSON format, you may want to set the kvmode=json in props.conf. Otherwise, you can build a field extraction for the lines you are interested in.

I suggest you take a look at https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/ExtractfieldsinteractivelywithIFX for an easy way to do field extractions

Adding custom fields to splunk query

1 Answers