Re: How do you regex multiple keywords that are sh...

limalbert · ‎02-05-2019

If I'm trying to regex InteractionID and msg below, how do I get the results for all InteractionID and msg within the same transactionID?

Log example:

transactionID=888999;InteractionID=123;msg=hello;...;InteractionID=456;msg=world;...
transactionID=000011;InteractionID=789;msg=foo;...;InteractionID=556;msg=test;...

... means texts

InteractionID field should contain 123, 456, 789, 556
msg field should contain hello, world, foo, test

woodcock · ‎02-08-2019

Like this:

| makeresults 
| eval _raw="transactionID=888999;InteractionID=123;msg=hello;...;InteractionID=456;msg=world;..." 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex max_match=0 "InteractionID=(?<InteractionID>\d+);msg=(?<msg>[^;]+)"

chrisyounger · ‎02-05-2019

Give this a try : | makemv tokenizer="msg=([^;]+);?" _raw

Here is the example i used to test it:

| makeresults
| eval _raw="transactionID=888999;InteractionID=123;msg=hello;...;InteractionID=456;msg=world;..."
| extract
| makemv tokenizer="msg=([^;]+);?" _raw

I hope this solves your problem

How do you regex multiple keywords that are shown in a log?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!