Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with regex

sbhatnagar88
Path Finder
‎11-23-2021 11:05 PM

Can some one help me to extract correlation _id from the below sample data.

requirement is to extract the correlation_id into a field.

 

ys_class_name="Incident",closed_by="",dv_closed_by="",follow_up="",dv_follow_up="",parent_incident="",dv_parent_incident="",reopened_by="",dv_reopened_by="",reassignment_count="1",dv_reassignment_count="1",assigned_to="c8c62ea2db51f090439694d3f39619dc",dv_assigned_to="pusapati dixitulu",u_reopening_reason="",dv_u_reopening_reason="None",sla_due="",dv_sla_due="UNKNOWN",comments_and_work_notes="",u_transfer_between_users="",dv_u_transfer_between_users="",agile_story="",dv_agile_story="",escalation="0",dv_escalation="Normal",upon_approval="proceed",dv_upon_approval="Proceed to Next Task",correlation_id="f725d663-7c62-4f50-82b1-1483df23562e",dv_correlation_id="f725d663-7c62-4f50-82b1-1483df23562e",u_business_area="",dv_u_business_area="None",u_plb="",dv_u_plb="None",u_division="",dv_u_division="",u_bu_code="",dv_u_bu_code="",u_is_escalated="false",dv_u_is_escalated="false",child_incidents="0",dv_child_incidents="0",task_effective_number="INC4750863",dv_task_effective_number="INC4750863",u_last_assignment="2021-11-24 05:49:28",dv_u_last_assignment="2021-11-24 06:49:28",resolved_by="",dv_resolved_by

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 12:24 AM 
| rex ",correlation_id=\"(?<correlation_id>[^\"]+)\""

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 12:24 AM 
| rex ",correlation_id=\"(?<correlation_id>[^\"]+)\""
0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎11-24-2021 12:23 AM

Hi @sbhatnagar88 

try like this

| rex field=_raw "\,correlation_id=\"(?<correlation_id>[^ "]+)"

anyway with this log you can extract all the fields with the key-value extraction,  that's more easier to extract fields.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

sbhatnagar88
Path Finder
‎11-29-2021 12:10 AM

Thanks but looks like it has some syntax issues.

0 Karma
Reply
Related Topics
I need help with regex?
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...