All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Some value missing when extracting one new field! Help me with the regular expression for my new field.

Jennifer
Path Finder
‎01-25-2022 07:55 PM

Hi, all!

I came across with an issue with extracting fields from syslog. Here are some samples of the value which is "Call_Session_ID" I want to extract:

JKYFnxBdcIIiBImIMsoJm67

tMKtr5WNYa2e9PqC1cBhswf

YoKwDKa_K9m4SS1qzbecNbl

hGpydwuxLF_iYw5AE0pe81g

F440sxU_Ntqg2zswAXgt-lW

Here's the regular expression generated by Splunk:

^[^\|\n]*\|(?P<Call_Session_ID>\w+)

Here's some sample events:

2022-01-25 12:08:04,925|F440sxU_Ntqg2zswAXgt-lW|INFO|com.hsbc.amh.civr.fallout.node.AmhCivrGenesysXferNode|execute()|***End Call***

2022-01-25 12:11:49,229|pbDdnF8QT6Bku0odJ4SL_Q8|INFO|com.hsbc.amh.civr.endcall.node.AmhCivrExitNode|execute()|***End Call***

2022-01-25 12:27:03,958|42dHIbXvXBKqG20u_m3kU5R|INFO|com.ibm._jsp._xfer_5F_genesys:svf.nodename|_jspService()|Contact Data Sent: UD_DIALLED_SERVICE:OneNumber_Jade~UD_IVR_STARTCALL_REF:0~UD_IS_HANGUP:N~UD_CUSTOMER_TYPE:Jade~UD_FALLOUT_SECTION:BankPaymentTransfer~UD_PROPOSITION:Jade~UD_SUBPROPOSITION:GeneralBanking~UD_LANGUAGE:Cantonese~UD_FALLOUT_QUEUE:Default~UD_COUNTRY_CODE:HKCC~UD_FALLOUT_REASON:Agent

Some facts about the log files:

Call_Session_ID is followed by the everytime. 

But there's some errors occurring when the results come out:

Firstly, there's some null value in the result:

Jennifer_0-1643168396987.png

Secondly, the result only shows part of the value like this:

Jennifer_1-1643169051175.png

When checking back to the event, it shows that this Call_Session_ID contains a hyphen.

2022-01-25 11:59:18,032|Yih9YAueLZSJ-va5ZAVllOc|INFO|com.hsbc.amh.civr.endcall.node.AmhCivrExitNode|execute()|***End Call***

 How could I solve the problem?

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

johnhuang
Motivator
‎01-25-2022 09:32 PM

Try matching everything that's not a pipe "|" for Call_Session_ID. This should fix at least one of the issue.

"^[^\|\n]*\|(?P<Call_Session_ID>[^\|]*)"

If the NULL value still shows, you need to post an example of the log.

 

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...