Splunk IT Service Intelligence

Hi , can you please help me in field extraction of digit part and it will be dynamic number. the data comes in field uri=checkout/orderConfirmation/12598099392

Engager

ACC - 127.0.0.1 - - [27/Nov/2019:15:34:47 +0100] "GET /ja_jp/checkout/orderConfirmation/12598099392 HTTP/1.0" 302 - "https://secureacceptance.cybersource.com/" "targetapp_ios_12_Mozilla/5.0 (iPad; CPU OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" J=F1291B21689EBBBAC9C3864AFAC9FDCD17AE26C9BC04183F079014FC7A9FCC0CE892C995CA283C7033F54B4B236B8DC5AA9B3F85A7B8E567E75430C49D075418.hybris-ecommerce-59dc4956fb-868d9 TimeMillToProcess=492 TimeMillToCommit=492

0 Karma

Esteemed Legend

Like this:

| makeresults | eval _raw="ACC - 127.0.0.1 - - [27/Nov/2019:15:34:47 +0100] \"GET /ja_jp/checkout/orderConfirmation/12598099392 HTTP/1.0\" 302 - \"https://secureacceptance.cybersource.com/\" \"targetapp_ios_12_Mozilla/5.0 (iPad; CPU OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\" J=F1291B21689EBBBAC9C3864AFAC9FDCD17AE26C9BC04183F079014FC7A9FCC0CE892C995CA283C7033F54B4B236B8DC5AA9B3F85A7B8E567E75430C49D075418.hybris-ecommerce-59dc4956fb-868d9 TimeMillToProcess=492 TimeMillToCommit=492"
| kv
| rex "GET (?<URL>\S+)"
| rex field=URL "(?<account>\d+)"
0 Karma

Splunk Employee
Splunk Employee

if the field uri contains "checkout/orderConfirmation/12598099392"

try

mysearch | rex field=uri "orderConfirmation\/(?<confirmationNumber)\d+" | table uri confirmationNumber
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!