Splunk IT Service Intelligence

Hi , can you please help me in field extraction of digit part and it will be dynamic number. the data comes in field uri=checkout/orderConfirmation/12598099392


ACC - - - [27/Nov/2019:15:34:47 +0100] "GET /ja_jp/checkout/orderConfirmation/12598099392 HTTP/1.0" 302 - "https://secureacceptance.cybersource.com/" "targetapp_ios_12_Mozilla/5.0 (iPad; CPU OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" J=F1291B21689EBBBAC9C3864AFAC9FDCD17AE26C9BC04183F079014FC7A9FCC0CE892C995CA283C7033F54B4B236B8DC5AA9B3F85A7B8E567E75430C49D075418.hybris-ecommerce-59dc4956fb-868d9 TimeMillToProcess=492 TimeMillToCommit=492

0 Karma

Esteemed Legend

Like this:

| makeresults | eval _raw="ACC - - - [27/Nov/2019:15:34:47 +0100] \"GET /ja_jp/checkout/orderConfirmation/12598099392 HTTP/1.0\" 302 - \"https://secureacceptance.cybersource.com/\" \"targetapp_ios_12_Mozilla/5.0 (iPad; CPU OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\" J=F1291B21689EBBBAC9C3864AFAC9FDCD17AE26C9BC04183F079014FC7A9FCC0CE892C995CA283C7033F54B4B236B8DC5AA9B3F85A7B8E567E75430C49D075418.hybris-ecommerce-59dc4956fb-868d9 TimeMillToProcess=492 TimeMillToCommit=492"
| kv
| rex "GET (?<URL>\S+)"
| rex field=URL "(?<account>\d+)"
0 Karma

Splunk Employee
Splunk Employee

if the field uri contains "checkout/orderConfirmation/12598099392"


mysearch | rex field=uri "orderConfirmation\/(?<confirmationNumber)\d+" | table uri confirmationNumber
0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...