All Apps and Add-ons

Some value missing when extracting one new field! Help me with the regular expression for my new field.

Jennifer
Path Finder

Hi, all!

I came across with an issue with extracting fields from syslog. Here are some samples of the value which is "Call_Session_ID" I want to extract:

JKYFnxBdcIIiBImIMsoJm67

tMKtr5WNYa2e9PqC1cBhswf

YoKwDKa_K9m4SS1qzbecNbl

hGpydwuxLF_iYw5AE0pe81g

F440sxU_Ntqg2zswAXgt-lW

Here's the regular expression generated by Splunk:

^[^\|\n]*\|(?P<Call_Session_ID>\w+)

Here's some sample events:

2022-01-25 12:08:04,925|F440sxU_Ntqg2zswAXgt-lW|INFO|com.hsbc.amh.civr.fallout.node.AmhCivrGenesysXferNode|execute()|***End Call***

2022-01-25 12:11:49,229|pbDdnF8QT6Bku0odJ4SL_Q8|INFO|com.hsbc.amh.civr.endcall.node.AmhCivrExitNode|execute()|***End Call***

2022-01-25 12:27:03,958|42dHIbXvXBKqG20u_m3kU5R|INFO|com.ibm._jsp._xfer_5F_genesys:svf.nodename|_jspService()|Contact Data Sent: UD_DIALLED_SERVICE:OneNumber_Jade~UD_IVR_STARTCALL_REF:0~UD_IS_HANGUP:N~UD_CUSTOMER_TYPE:Jade~UD_FALLOUT_SECTION:BankPaymentTransfer~UD_PROPOSITION:Jade~UD_SUBPROPOSITION:GeneralBanking~UD_LANGUAGE:Cantonese~UD_FALLOUT_QUEUE:Default~UD_COUNTRY_CODE:HKCC~UD_FALLOUT_REASON:Agent

Some facts about the log files:

Call_Session_ID is followed by the everytime. 

But there's some errors occurring when the results come out:

Firstly, there's some null value in the result:

Jennifer_0-1643168396987.png

Secondly, the result only shows part of the value like this:

Jennifer_1-1643169051175.png

When checking back to the event, it shows that this Call_Session_ID contains a hyphen.

2022-01-25 11:59:18,032|Yih9YAueLZSJ-va5ZAVllOc|INFO|com.hsbc.amh.civr.endcall.node.AmhCivrExitNode|execute()|***End Call***

 How could I solve the problem?

 

 

 

 

Labels (1)
Tags (1)
0 Karma

johnhuang
Motivator

Try matching everything that's not a pipe "|" for Call_Session_ID. This should fix at least one of the issue.

"^[^\|\n]*\|(?P<Call_Session_ID>[^\|]*)"

If the NULL value still shows, you need to post an example of the log.

 

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...