Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex command

saifdj
Engager
‎05-04-2020 03:58 AM

How to fetch activity id using rex command

Log record:

DATA= {"note":"Succeeded | {\r\n \"service.url\": \"\",\r\n \"enable.debug\": false,\r\n \"permission.base.url\": \"\",\r\n \"userInfo.base.url\": \"\",\r\n \"storeId.base.url\": \"\",\r\n \"app.session.timeout\": 25\r\n},activityId: 64AB3318-4DA3-4D38-9800-5DABCC7EC263,","appVersion":"1.10"

I tried below query with no luck,

| rex field=DATA ",activityId: (?<ACTIVITY_ID_VALUE>.*)"

Trying to fetch value "64AB3318-4DA3-4D38-9800-5DABCC7EC263" and show in table

0 Karma
Reply

PavelP
Motivator
‎05-04-2020 05:46 AM

Hello @saifdj

please double check you that you have an extracted field DATA.

If not you can use a general regex applied to whole _raw event (which is not so effizient as you indended):

rex "activityId: (?<a1>[\w\-]+)"

Please let me know how if it worked

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎05-04-2020 10:20 AM

Slightly more generic (since it looks like a comma is the delimiter):

... | rex "activityId: (?<ACTIVITY_ID_VALUE>[^,]+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...