topic Re: Need to extract JSESSIONID from result in Splunk Search

Need to extract JSESSIONID from result

rh417692 — Tue, 16 May 2017 18:18:04 GMT

Query: index="prod" "Null Pointer Exception"
Result: Key: value, key; value, JSESSIONID:123456.ATG.PROD, key: value

How do I extract only the JSESSIONID from the result?

Re: Need to extract JSESSIONID from result

somesoni2 — Tue, 16 May 2017 18:24:36 GMT

Try this

index="prod" "Null Pointer Exception" | rex "JSESSIONID\:(?<JSESSIONID>[^\.]+)"

Re: Need to extract JSESSIONID from result

rh417692 — Tue, 16 May 2017 18:30:33 GMT

Is there a way to capture unique JSESSIONID values?

Re: Need to extract JSESSIONID from result

somesoni2 — Tue, 16 May 2017 19:19:26 GMT

Do you mean your search result should show one event per JSESSIONID? If yes, then use like this

index="prod" "Null Pointer Exception" | rex "JSESSIONID\:(?<JSESSIONID>[^\.]+)" | dedup JSESSIONID

Re: Need to extract JSESSIONID from result

rh417692 — Tue, 16 May 2017 21:23:36 GMT

The 'dedup JSESSIONID' got me unique JSESSIONID values. Thank you @somesoni2 !

Re: Need to extract JSESSIONID from result

rh417692 — Tue, 16 May 2017 21:25:19 GMT

Do you mind explaining this part please: "JSESSIONID:(?[^.]+)" ? Does it mean to capture the value after the colon? If yes, and if there was a space after colon, would it have captured that too? How would you ignore the space after the colon?

Re: Need to extract JSESSIONID from result

somesoni2 — Tue, 16 May 2017 21:32:24 GMT

It's basically everything between JSESSIONID: and first occurance of dot. It would capture that space as well. To ignore that try this. This will ignore space if present after colon (0 or more occurance of space)

| rex "JSESSIONID\:\s*(?<JSESSIONID>[^\.]+)"