Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction Not Showing Up

skoelpin
SplunkTrust
SplunkTrust
‎05-15-2015 01:46 PM

I'm doing an extraction for Jsession ID's. I'm writing the regex myself and after previewing the events, it correctly captures 100% of what I need it to. Now after I save it and look for it in on the left in 'Fields', it's nowhere to be found. I also tried typing it into my search Jsession="*" with no luck. I'm also open to suggestions if anyone can provide regex to capture the alphanumeric Jsession ID which always has 32 characters

There is < and > before and after the word jsession but this website won't show it in the code
Here's my regex 

(?PJsession)([0-9A-Z]{32})
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎05-15-2015 07:40 PM

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

neelamssantosh
Contributor
‎05-15-2015 08:11 PM

Kindly share sample log

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-19-2015 08:49 AM

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

>(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery"&gt;FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>

Type 2:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotComOrder"&gt;991459AB3A668NA7ECB5FDB44B8DC111&lt;/Transac...>

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎05-15-2015 07:40 PM

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-19-2015 08:22 AM

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

&gt;(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery"&gt;FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>

Type 2:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotComOrder"&gt;991459AB3A668NA7ECB5FDB44B8DC111&lt;/Transac...>

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-19-2015 09:19 PM

okay, try this:

>|<
This will match either > or | then the 32 times any alphanumeric and ends with a <
Tested and working on regex101.com

cheers, MuS

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 07:44 AM

Works perfectly!! I was using regexr.com but I'm seeing regex101.com is much better. Thanks for your help!

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...