Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Extract field across multiple sources in different context

johnansett
Path Finder
‎03-18-2019 08:40 AM

Hello Splunkers,

I need some help with a basic extraction. I have about 8 different styles of logs which have the same event format. I brought them all in with the same sourcetype.
The first logs "Processing.log" have a transaction ID in the following format:

Transaction ( 12345 )

The next log "Initiator" has the ID in the following format:

03/14/2019 18:11:53.392-> Level:8, ( 987654321, 21, 0, *'12345'*, null, TO_DATE('2019/03/01 00:00:00','YYYY/MM/DD

The next log includes it in the following event contexts:

Not included because custom value doesn't match: transaction: 12345
03/14/2019 18:10:12.685-> Level:8, Fixing transaction Id 12345

I want to extract all these events as a single field "Transaction". I thought I could do it with a "OR" (|) in regex but it's not working:

(?:Transaction\s\(\s|transaction\:\s|transaction\sId\s|100.)(?P<transaction>\d{4,5})

Thanks for your guidance!

0 Karma
Reply
Highlighted

Re: Extract field across multiple sources in different context

nickhillscpl
Ultra Champion
‎03-18-2019 08:50 AM

Your regex looks ok to me (although i adjusted a bit for the second example)
https://regex101.com/r/sFjR1X/2

0 Karma
Reply