Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract field

Sekhar
Explorer
‎10-03-2023 09:14 PM

Log like.

message: [22/09/23 10:31:47:935 GMT] [ThreadPoolExecutor-thread-15759] INFO failed.", suspenseAccountNumber="941548131", suspenseAccountBSB="083021", timeCreate

as OTHER BUSINESS REASON returned by

CBIS.", debtor RoutingType="BBAN", debtor Routing Id="013013", creditor RoutingType="BBA

6899-422f-8162-6911da94e619", transactionTraceIdentification-1311b8a21-6d6c-422b-8

22T10:31:42.8152_00306", instrId="null", interactionId="null", interactionOriginators tx_uid-ANZBAU3L_A_TST01_ClrSttlmve01_2023-09-22T10:31:42.8152 00306, txId-ANZBAU3L priority-NORM, addressingType=noAlias, flow-N5XSuspense.receive]

 

 

How extract the transactionTraceIdentification filed 

 

I tried already rex field= message "transactionTraceIdentification=\"(?<transactionTraceIdentification>.*?)\","

 

Not extraxted the vaule

Labels (1)
Labels
0 Karma
Reply

Sekhar
Explorer
‎10-03-2023 09:30 PM

I tried getting empty 

0 Karma
Reply

yeahnah
Motivator
‎10-03-2023 09:33 PM

Likely message is not an extracted field then. 

Try this to extract from the _raw event

| rex field=_raw "transactionTraceIdentification-(?<transactionTraceIdentification>[^\"]+)

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-03-2023 09:33 PM

Hi @Sekhar your one line reply will not help us to help you.. pls write your full search query.. 

provide some more sample log lines.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-03-2023 09:29 PM

Hi @Sekhar ... pls provide some more log lines.. 

pls check this rex.. 

Splunk newbie learning videos, for absolute beginners:
https://www.youtube.com/@SiemNewbies101/playlists

i have added 24 small videos of rex... completely for splunk newbies and beginners.

source="rex.txt" host="laptop" sourcetype="rextest" | rex field=_raw "transactionTraceIdentification\-(?<transactionTraceIdentification>.*)" | table _raw transactionTraceIdentification
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

yeahnah
Motivator
‎10-03-2023 09:23 PM

Hi @Sekhar 

try this..

| rex field=message "transactionTraceIdentification-(?<transactionTraceIdentification>[^\"]+)"

 

hope that helps

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...