All Apps and Add-ons

Some value missing when extracting one new field! Help me with the regular expression for my new field.

Jennifer
Path Finder

Hi, all!

I came across with an issue with extracting fields from syslog. Here are some samples of the value which is "Call_Session_ID" I want to extract:

JKYFnxBdcIIiBImIMsoJm67

tMKtr5WNYa2e9PqC1cBhswf

YoKwDKa_K9m4SS1qzbecNbl

hGpydwuxLF_iYw5AE0pe81g

F440sxU_Ntqg2zswAXgt-lW

Here's the regular expression generated by Splunk:

^[^\|\n]*\|(?P<Call_Session_ID>\w+)

Here's some sample events:

2022-01-25 12:08:04,925|F440sxU_Ntqg2zswAXgt-lW|INFO|com.hsbc.amh.civr.fallout.node.AmhCivrGenesysXferNode|execute()|***End Call***

2022-01-25 12:11:49,229|pbDdnF8QT6Bku0odJ4SL_Q8|INFO|com.hsbc.amh.civr.endcall.node.AmhCivrExitNode|execute()|***End Call***

2022-01-25 12:27:03,958|42dHIbXvXBKqG20u_m3kU5R|INFO|com.ibm._jsp._xfer_5F_genesys:svf.nodename|_jspService()|Contact Data Sent: UD_DIALLED_SERVICE:OneNumber_Jade~UD_IVR_STARTCALL_REF:0~UD_IS_HANGUP:N~UD_CUSTOMER_TYPE:Jade~UD_FALLOUT_SECTION:BankPaymentTransfer~UD_PROPOSITION:Jade~UD_SUBPROPOSITION:GeneralBanking~UD_LANGUAGE:Cantonese~UD_FALLOUT_QUEUE:Default~UD_COUNTRY_CODE:HKCC~UD_FALLOUT_REASON:Agent

Some facts about the log files:

Call_Session_ID is followed by the everytime. 

But there's some errors occurring when the results come out:

Firstly, there's some null value in the result:

Jennifer_0-1643168396987.png

Secondly, the result only shows part of the value like this:

Jennifer_1-1643169051175.png

When checking back to the event, it shows that this Call_Session_ID contains a hyphen.

2022-01-25 11:59:18,032|Yih9YAueLZSJ-va5ZAVllOc|INFO|com.hsbc.amh.civr.endcall.node.AmhCivrExitNode|execute()|***End Call***

 How could I solve the problem?

 

 

 

 

Labels (1)
Tags (1)
0 Karma

johnhuang
Motivator

Try matching everything that's not a pipe "|" for Call_Session_ID. This should fix at least one of the issue.

"^[^\|\n]*\|(?P<Call_Session_ID>[^\|]*)"

If the NULL value still shows, you need to post an example of the log.

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...