Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract field across multiple sources in different context

johnansett
Communicator
‎03-18-2019 08:40 AM

Hello Splunkers,

I need some help with a basic extraction. I have about 8 different styles of logs which have the same event format. I brought them all in with the same sourcetype.
The first logs "Processing.log" have a transaction ID in the following format:

Transaction ( 12345 )

The next log "Initiator" has the ID in the following format:

03/14/2019 18:11:53.392-> Level:8, ( 987654321, 21, 0, *'12345'*, null, TO_DATE('2019/03/01 00:00:00','YYYY/MM/DD

The next log includes it in the following event contexts:

Not included because custom value doesn't match: transaction: 12345
03/14/2019 18:10:12.685-> Level:8, Fixing transaction Id 12345

I want to extract all these events as a single field "Transaction". I thought I could do it with a "OR" (|) in regex but it's not working:

(?:Transaction\s\(\s|transaction\:\s|transaction\sId\s|100.)(?P<transaction>\d{4,5})

Thanks for your guidance!

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 08:50 AM

Your regex looks ok to me (although i adjusted a bit for the second example)
https://regex101.com/r/sFjR1X/2

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...