Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Fields Extraction - Open telemetry Collector

mattt
Loves-to-Learn
‎05-13-2025 07:13 AM

Good morning,

I’m experiencing an issue with the following log:

15:41:41,341	
2025-05-13 15:41:41,340 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) requestId=31365aee-0e03-43bc-9ccd-fd465aa7a4ca Request: GET http://something.com/something/else Headers[Accept=application/json If-Modified-Since=Tue, 13 May 2025 04:00:27 GMT User-Agent=Quarkus REST Client], Empty body
2025-05-13 15:41:39,970 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) requestId=95a1a839-2967-4ab8-8302-f5480106adb6 Response: GET http://something.com/something/else, Status[304 Not Modified], Headers[access-control-allow-credentials=true access-control-allow-headers=content-type, accept, authorization, cache-control, pragma access-control-allow-methods=OPTIONS,HEAD,POST,GET access-control-allow-origin=* cache-control=no-cache server-timing=intid;desc=4e7d2996fd2b9cc9 set-cookie=d81b2a11fe1ca01805243b5777a6e906=abae4222185903c47a832e0c67618490; path=/; HttpOnly]

A bit of context that may be relevant: these logs are shipped using Splunk OTEL collectors.

mattt_0-1747144157701.png

In the _raw logs, I see the following field values:

FieldValue
requestID95a1a839-2967-4ab8-8302-f5480106adb6 Response: GET http://something.com/something/else
requestIDrequestId=31365aee-0e03-43bc-9ccd-fd465aa7a4ca Request: GET http://something.com/something/else

 

What I want is for the requestID, and the Request or Response parts to be extracted into separate fields.

I’ve already added the following to my props.conf:

[sourcetype*]
EXTRACT-requestId = requestId=(?<field_request>[a-f0-9\-]+)
EXTRACT-Response = Response:\s(?<field_response>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))
EXTRACT-Request = Request:\s(?<field_request>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))

I verified on regex101 that the regex matches correctly, but it's not working in Splunk.

Could the issue be that the log show Response: instead of Response= and Splunk doesn’t treat it as a proper field delimiter? Unfortunately, I’m unable to modify the source lo

What else can I check? Do I need to modify the .yml configuration for the Splunk OTEL collector, or should I stick to using props.conf and transforms.conf?

 

Thank you in advance,

Best Regards.

Matteo

Labels (2)
Labels
0 Karma
Reply

mattt
Loves-to-Learn
‎05-22-2025 09:01 AM

Hi @livehybrid  sorry for the late response. Unfortunately, the answer you provided does not work.

mattt_0-1747929334661.png

Still no extraction and same behaviour.
Can you help me split and create the correct splunk field?
Thanks in advance,

Matt

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-22-2025 09:06 AM

Looking back it looks like I might have pasted in the wrong bit as I didnt add the "in <field>"

How about this?

EXTRACT-requestId = (?<field_requestId>[a-f0-9\-]{36}) in requestId

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-13-2025 08:18 AM

Hi @mattt 

I'm a little confused as to why requestId= is still present in the second event example.

If you want to run the regex extract against the "requestID" field then you need to add "in <fieldName>" to your extract:

<regex> in <src_field>

See the docs here

For example:

EXTRACT-requestId = (requestId=)?(?<field_requestId>[a-f0-9\-]{36})
EXTRACT-Response = Response:\s(?<field_response>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))
EXTRACT-Request = Request:\s(?<field_request>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...