Solved: Field Extraction Not Showing Up

skoelpin · ‎05-15-2015

I'm doing an extraction for Jsession ID's. I'm writing the regex myself and after previewing the events, it correctly captures 100% of what I need it to. Now after I save it and look for it in on the left in 'Fields', it's nowhere to be found. I also tried typing it into my search Jsession="*" with no luck. I'm also open to suggestions if anyone can provide regex to capture the alphanumeric Jsession ID which always has 32 characters

There is < and > before and after the word jsession but this website won't show it in the code
Here's my regex

(?PJsession)([0-9A-Z]{32})

MuS · ‎05-15-2015

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

View solution in original post

neelamssantosh · ‎05-15-2015

Kindly share sample log

skoelpin · ‎05-19-2015

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

>(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery">FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>

Type 2:

MuS · ‎05-15-2015

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

skoelpin · ‎05-19-2015

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

>(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery">FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>

Type 2:

MuS · ‎05-19-2015

okay, try this:

>|<
This will match either > or | then the 32 times any alphanumeric and ends with a <
Tested and working on regex101.com

cheers, MuS

skoelpin · ‎05-20-2015

Works perfectly!! I was using regexr.com but I'm seeing regex101.com is much better. Thanks for your help!

Field Extraction Not Showing Up

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life