Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract field across multiple sources in different context

johnansett
Communicator
‎03-18-2019 08:40 AM

Hello Splunkers,

I need some help with a basic extraction. I have about 8 different styles of logs which have the same event format. I brought them all in with the same sourcetype.
The first logs "Processing.log" have a transaction ID in the following format:

Transaction ( 12345 )

The next log "Initiator" has the ID in the following format:

03/14/2019 18:11:53.392-> Level:8, ( 987654321, 21, 0, *'12345'*, null, TO_DATE('2019/03/01 00:00:00','YYYY/MM/DD

The next log includes it in the following event contexts:

Not included because custom value doesn't match: transaction: 12345
03/14/2019 18:10:12.685-> Level:8, Fixing transaction Id 12345

I want to extract all these events as a single field "Transaction". I thought I could do it with a "OR" (|) in regex but it's not working:

(?:Transaction\s\(\s|transaction\:\s|transaction\sId\s|100.)(?P<transaction>\d{4,5})

Thanks for your guidance!

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 08:50 AM

Your regex looks ok to me (although i adjusted a bit for the second example)
https://regex101.com/r/sFjR1X/2

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...