Splunk Enterprise

Need help with regex

sbhatnagar88
Path Finder

Can some one help me to extract correlation _id from the below sample data.

requirement is to extract the correlation_id into a field.

 

ys_class_name="Incident",closed_by="",dv_closed_by="",follow_up="",dv_follow_up="",parent_incident="",dv_parent_incident="",reopened_by="",dv_reopened_by="",reassignment_count="1",dv_reassignment_count="1",assigned_to="c8c62ea2db51f090439694d3f39619dc",dv_assigned_to="pusapati dixitulu",u_reopening_reason="",dv_u_reopening_reason="None",sla_due="",dv_sla_due="UNKNOWN",comments_and_work_notes="",u_transfer_between_users="",dv_u_transfer_between_users="",agile_story="",dv_agile_story="",escalation="0",dv_escalation="Normal",upon_approval="proceed",dv_upon_approval="Proceed to Next Task",correlation_id="f725d663-7c62-4f50-82b1-1483df23562e",dv_correlation_id="f725d663-7c62-4f50-82b1-1483df23562e",u_business_area="",dv_u_business_area="None",u_plb="",dv_u_plb="None",u_division="",dv_u_division="",u_bu_code="",dv_u_bu_code="",u_is_escalated="false",dv_u_is_escalated="false",child_incidents="0",dv_child_incidents="0",task_effective_number="INC4750863",dv_task_effective_number="INC4750863",u_last_assignment="2021-11-24 05:49:28",dv_u_last_assignment="2021-11-24 06:49:28",resolved_by="",dv_resolved_by

Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex ",correlation_id=\"(?<correlation_id>[^\"]+)\""

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex ",correlation_id=\"(?<correlation_id>[^\"]+)\""
0 Karma

aasabatini
Motivator

Hi @sbhatnagar88 

try like this

| rex field=_raw "\,correlation_id=\"(?<correlation_id>[^ "]+)"

anyway with this log you can extract all the fields with the key-value extraction,  that's more easier to extract fields.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

sbhatnagar88
Path Finder

Thanks but looks like it has some syntax issues.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...