https://community.splunk.com/t5/Splunk-Search/Extract-field-across-multiple-sources-in-different-context/m-p/448536#M127080 <P>Hello Splunkers,</P> <P>I need some help with a basic extraction. I have about 8 different styles of logs which have the same event format. I brought them all in with the same sourcetype.<BR /> The first logs "Processing.log" have a transaction ID in the following format:</P> <PRE><CODE>Transaction ( 12345 ) </CODE></PRE> <P>The next log "Initiator" has the ID in the following format:</P> <PRE><CODE>03/14/2019 18:11:53.392-&gt; Level:8, ( 987654321, 21, 0, *'12345'*, null, TO_DATE('2019/03/01 00:00:00','YYYY/MM/DD </CODE></PRE> <P>The next log includes it in the following event contexts:</P> <PRE><CODE>Not included because custom value doesn't match: transaction: 12345 03/14/2019 18:10:12.685-&gt; Level:8, Fixing transaction Id 12345 </CODE></PRE> <P>I want to extract all these events as a single field "Transaction". I thought I could do it with a "OR" (|) in regex but it's not working:</P> <PRE><CODE>(?:Transaction\s\(\s|transaction\:\s|transaction\sId\s|100.)(?P&lt;transaction&gt;\d{4,5}) </CODE></PRE> <P>Thanks for your guidance!</P> Mon, 18 Mar 2019 15:40:58 GMT johnansett 2019-03-18T15:40:58Z https://community.splunk.com/t5/Splunk-Search/Extract-field-across-multiple-sources-in-different-context/m-p/448536#M127080 <P>Hello Splunkers,</P> <P>I need some help with a basic extraction. I have about 8 different styles of logs which have the same event format. I brought them all in with the same sourcetype.<BR /> The first logs "Processing.log" have a transaction ID in the following format:</P> <PRE><CODE>Transaction ( 12345 ) </CODE></PRE> <P>The next log "Initiator" has the ID in the following format:</P> <PRE><CODE>03/14/2019 18:11:53.392-&gt; Level:8, ( 987654321, 21, 0, *'12345'*, null, TO_DATE('2019/03/01 00:00:00','YYYY/MM/DD </CODE></PRE> <P>The next log includes it in the following event contexts:</P> <PRE><CODE>Not included because custom value doesn't match: transaction: 12345 03/14/2019 18:10:12.685-&gt; Level:8, Fixing transaction Id 12345 </CODE></PRE> <P>I want to extract all these events as a single field "Transaction". I thought I could do it with a "OR" (|) in regex but it's not working:</P> <PRE><CODE>(?:Transaction\s\(\s|transaction\:\s|transaction\sId\s|100.)(?P&lt;transaction&gt;\d{4,5}) </CODE></PRE> <P>Thanks for your guidance!</P> Mon, 18 Mar 2019 15:40:58 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-across-multiple-sources-in-different-context/m-p/448536#M127080 johnansett 2019-03-18T15:40:58Z https://community.splunk.com/t5/Splunk-Search/Extract-field-across-multiple-sources-in-different-context/m-p/448537#M127081 <P>Your regex looks ok to me (although i adjusted a bit for the second example)<BR /> <A href="https://regex101.com/r/sFjR1X/2">https://regex101.com/r/sFjR1X/2</A></P> Mon, 18 Mar 2019 15:50:44 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-across-multiple-sources-in-different-context/m-p/448537#M127081 nickhills 2019-03-18T15:50:44Z