Splunk Enterprise

Rex for "CEOTransactionSessionId":"1D2667DC-7849-1122-3FE3-C4A08EAC9FEB"?

Rakzskull
Path Finder

Hi Guys,

 

Could you possibly assist me with creating a rex for the log below?

Rex for "CEOTransactionSessionId":"1D2667DC-7849-1122-3FE3-C4A08EAC9FEB"

Labels (2)
Tags (2)
0 Karma

Rakzskull
Path Finder

@ITWhisperer  What would be the rex for -->      [en_US] [ANDROID] [23.3.0]

Thanks in advance

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

With the previous request, is seemed obvious that you wanted to extract the field value (assuming this was a JSON field), however, with this request, it is not clear what you are asking for. Please clarify what you are trying to do.

0 Karma

Rakzskull
Path Finder

@ITWhispererI'd want to extract fields, however some of them aren't in interesting fields. The first one you provided worked. so if you could make the rex for this as well : 

[04/24/2023 05:47:38.551][530e4835abe4717b,530e4835abe4717b,,][CAPIRESP] [ec-25] I [go.web.filter.APILoggingFilter: ] [en_US] [ANDROID] [23.3.0] 

I'd want to copy the text in bold above.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For rex, you need anchors. I have assumed the end of the event will act as the anchor.

\[(?<lang>[^\]]+)\]\s\[(?<os>[^\]]+)\]\s\[(?<version>[^\]]+)\]\s?$

If this doesn't work, you will have to share your actual events (anonymised of course), preferably in a code block </> similar to above, so that formatting is preserved

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
\"CEOTransactionSessionId\":\"(?<CEOTransactionSessionId>[^\"]+)\"
Get Updates on the Splunk Community!

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk &#43; Cisco joined the global celebration of CX Day - celebrating our ...