Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Fields Extraction - Open telemetry Collector

mattt
Engager
‎05-13-2025 07:13 AM

Good morning,

I’m experiencing an issue with the following log:

15:41:41,341	
2025-05-13 15:41:41,340 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) requestId=31365aee-0e03-43bc-9ccd-fd465aa7a4ca Request: GET http://something.com/something/else Headers[Accept=application/json If-Modified-Since=Tue, 13 May 2025 04:00:27 GMT User-Agent=Quarkus REST Client], Empty body
2025-05-13 15:41:39,970 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) requestId=95a1a839-2967-4ab8-8302-f5480106adb6 Response: GET http://something.com/something/else, Status[304 Not Modified], Headers[access-control-allow-credentials=true access-control-allow-headers=content-type, accept, authorization, cache-control, pragma access-control-allow-methods=OPTIONS,HEAD,POST,GET access-control-allow-origin=* cache-control=no-cache server-timing=intid;desc=4e7d2996fd2b9cc9 set-cookie=d81b2a11fe1ca01805243b5777a6e906=abae4222185903c47a832e0c67618490; path=/; HttpOnly]

A bit of context that may be relevant: these logs are shipped using Splunk OTEL collectors.

mattt_0-1747144157701.png

In the _raw logs, I see the following field values:

FieldValue
requestID95a1a839-2967-4ab8-8302-f5480106adb6 Response: GET http://something.com/something/else
requestIDrequestId=31365aee-0e03-43bc-9ccd-fd465aa7a4ca Request: GET http://something.com/something/else

 

What I want is for the requestID, and the Request or Response parts to be extracted into separate fields.

I’ve already added the following to my props.conf:

[sourcetype*]
EXTRACT-requestId = requestId=(?<field_request>[a-f0-9\-]+)
EXTRACT-Response = Response:\s(?<field_response>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))
EXTRACT-Request = Request:\s(?<field_request>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))

I verified on regex101 that the regex matches correctly, but it's not working in Splunk.

Could the issue be that the log show Response: instead of Response= and Splunk doesn’t treat it as a proper field delimiter? Unfortunately, I’m unable to modify the source lo

What else can I check? Do I need to modify the .yml configuration for the Splunk OTEL collector, or should I stick to using props.conf and transforms.conf?

 

Thank you in advance,

Best Regards.

Matteo

Labels (2)
Labels
0 Karma
Reply

mattt
Engager
‎05-22-2025 09:01 AM

Hi @livehybrid  sorry for the late response. Unfortunately, the answer you provided does not work.

mattt_0-1747929334661.png

Still no extraction and same behaviour.
Can you help me split and create the correct splunk field?
Thanks in advance,

Matt

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-22-2025 09:06 AM

Looking back it looks like I might have pasted in the wrong bit as I didnt add the "in <field>"

How about this?

EXTRACT-requestId = (?<field_requestId>[a-f0-9\-]{36}) in requestId

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-13-2025 08:18 AM

Hi @mattt 

I'm a little confused as to why requestId= is still present in the second event example.

If you want to run the regex extract against the "requestID" field then you need to add "in <fieldName>" to your extract:

<regex> in <src_field>

See the docs here

For example:

EXTRACT-requestId = (requestId=)?(?<field_requestId>[a-f0-9\-]{36})
EXTRACT-Response = Response:\s(?<field_response>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))
EXTRACT-Request = Request:\s(?<field_request>([A-Z]+)\s([^\s,]+(?:[^\r\n]+)))

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...