Hi , can you please help me in field extraction of...

Hemant1 · ‎11-27-2019

ACC - 127.0.0.1 - - [27/Nov/2019:15:34:47 +0100] "GET /ja_jp/checkout/orderConfirmation/12598099392 HTTP/1.0" 302 - "https://secureacceptance.cybersource.com/" "targetapp_ios_12_Mozilla/5.0 (iPad; CPU OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" J=F1291B21689EBBBAC9C3864AFAC9FDCD17AE26C9BC04183F079014FC7A9FCC0CE892C995CA283C7033F54B4B236B8DC5AA9B3F85A7B8E567E75430C49D075418.hybris-ecommerce-59dc4956fb-868d9 TimeMillToProcess=492 TimeMillToCommit=492

woodcock · ‎11-27-2019

Like this:

| makeresults | eval _raw="ACC - 127.0.0.1 - - [27/Nov/2019:15:34:47 +0100] \"GET /ja_jp/checkout/orderConfirmation/12598099392 HTTP/1.0\" 302 - \"https://secureacceptance.cybersource.com/\" \"targetapp_ios_12_Mozilla/5.0 (iPad; CPU OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148\" J=F1291B21689EBBBAC9C3864AFAC9FDCD17AE26C9BC04183F079014FC7A9FCC0CE892C995CA283C7033F54B4B236B8DC5AA9B3F85A7B8E567E75430C49D075418.hybris-ecommerce-59dc4956fb-868d9 TimeMillToProcess=492 TimeMillToCommit=492"
| kv
| rex "GET (?<URL>\S+)"
| rex field=URL "(?<account>\d+)"

yannK · ‎11-27-2019

if the field uri contains "checkout/orderConfirmation/12598099392"

try

mysearch | rex field=uri "orderConfirmation\/(?<confirmationNumber)\d+" | table uri confirmationNumber

Hi , can you please help me in field extraction of digit part and it will be dynamic number. the data comes in field uri=checkout/orderConfirmation/12598099392

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience