Splunk Search

Field Extraction Not Showing Up

SplunkTrust
SplunkTrust

I'm doing an extraction for Jsession ID's. I'm writing the regex myself and after previewing the events, it correctly captures 100% of what I need it to. Now after I save it and look for it in on the left in 'Fields', it's nowhere to be found. I also tried typing it into my search Jsession="*" with no luck. I'm also open to suggestions if anyone can provide regex to capture the alphanumeric Jsession ID which always has 32 characters

There is < and > before and after the word jsession but this website won't show it in the code
Here's my regex

(?PJsession)([0-9A-Z]{32})
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

View solution in original post

Contributor

Kindly share sample log

0 Karma

SplunkTrust
SplunkTrust

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

>(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery"&gt;FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>

Type 2:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotComOrder"&gt;991459AB3A668NA7ECB5FDB44B8DC111&lt;/Transac...>

0 Karma

SplunkTrust
SplunkTrust

Hi skoelpin,

check if you get any event at all containing the raw data for the Jsession field, as well check if you're maybe running search in fast mode http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype.

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.

Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <

|(?P<Jsession> [0-9A-Z]{32})

Also this regular expression will work for Type 2 but not type 1

&gt;(?P<RTG_Jsession>[0-9A-Z]{32})

Type 1:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery"&gt;FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>

Type 2:

<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotComOrder"&gt;991459AB3A668NA7ECB5FDB44B8DC111&lt;/Transac...>

0 Karma

SplunkTrust
SplunkTrust

okay, try this:

>|<
This will match either > or | then the 32 times any alphanumeric and ends with a <
Tested and working on regex101.com

cheers, MuS

SplunkTrust
SplunkTrust

Works perfectly!! I was using regexr.com but I'm seeing regex101.com is much better. Thanks for your help!