topic Re: Field Extraction Not Showing Up in Splunk Search

Field Extraction Not Showing Up

skoelpin — Fri, 15 May 2015 20:46:42 GMT

I'm doing an extraction for Jsession ID's. I'm writing the regex myself and after previewing the events, it correctly captures 100% of what I need it to. Now after I save it and look for it in on the left in 'Fields', it's nowhere to be found. I also tried typing it into my search Jsession="*" with no luck. I'm also open to suggestions if anyone can provide regex to capture the alphanumeric Jsession ID which always has 32 characters

There is < and > before and after the word jsession but this website won't show it in the code
Here's my regex

(?PJsession)([0-9A-Z]{32})

Re: Field Extraction Not Showing Up

MuS — Sat, 16 May 2015 02:40:36 GMT

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

Re: Field Extraction Not Showing Up

neelamssantosh — Sat, 16 May 2015 03:11:58 GMT

Kindly share sample log

Re: Field Extraction Not Showing Up

skoelpin — Tue, 19 May 2015 15:22:04 GMT

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

>(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery">FromPDP|A50499428ZZB032F3BDCAF286EC38RNR</TransactionID>

Type 2:

Re: Field Extraction Not Showing Up

skoelpin — Tue, 19 May 2015 15:49:22 GMT

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

>(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery">FromPDP|A50499428ZZB032F3BDCAF286EC38RNR</TransactionID>

Type 2:

Re: Field Extraction Not Showing Up

MuS — Wed, 20 May 2015 04:19:58 GMT

okay, try this:

>|<
This will match either > or | then the 32 times any alphanumeric and ends with a <
Tested and working on regex101.com

cheers, MuS

Re: Field Extraction Not Showing Up

skoelpin — Wed, 20 May 2015 14:44:11 GMT

Works perfectly!! I was using regexr.com but I'm seeing regex101.com is much better. Thanks for your help!