Any string starting with COLDAPP , ending with double colon, would be a Tx id in my logs. it can be at the beginning/middle/end as the logs are not fully structured always. How do i write a regex to return a matching pattern starting with a COLDAPP and ends with double colon, excluding the double colon in returned pattern.
Example of log:
BaseProcessor pool-62-thread-84 - COLDAPP_WS_780144376_148455147959900002_pbv14slm2_12910::3tWofZ2Bb
I am trying
How do i return
Thanks in advance for your help.
@dtregonning_splunk somwhow its not working. I am trying my query on regex101.com. Is there anything wrong I would b doing ?
PS: I was trying to attach a snap, but i got message I would need more karma point to attach image in the post.
@dtregonning_splunk how/where do i specify the name of extracted filed in this format ? on regex portal it does return the correct value. How would this work in splunk, as I understand we need to specify the extracted filed name in the query it self with triangular bracket. I tried putting triangular bracket in the query but getting syntax error.
replace fieldnamexxx to whatever you would like to call the extraction field.
@dtregonning_splunk some how splunk comment omits the fieldname while we comment. I see it was omitted in the question I posted, and the response you are posting. It would be a great if you can post a screenshot with field name.
I truly appreciate your help.
By the way how much point do i need to earn before I can start posting images in the comment?
@pradjswl - 60 Karma points are required to attach files. Here's a general outline of how to earn Karma points on Answers as well as how much Karma is required in order to unlock certain site capabilities.