How to include Field Extraction name in Splunk sea...

friscos · ‎09-22-2016

Hi,

I have extracted a transaction id using field extraction.

Field Extraction Name: BANK_APPLOG : EXTRACT-TransID
RegEx: ^(?:[^>\n]*>){4}(?P<TransID>\w+)

How do i include this field extraction name in the search so that I can retrieve all the transaction ids.

inventsekar · ‎09-22-2016

Index=ABC (sourcetype=ghi, source=def if needed) TransID |table TransID, _raw

friscos · ‎09-22-2016

I tried index=main sourcetype=BANK_APPLOG TransID | table TransID, _raw but this did not return any results.

gcusello · ‎09-22-2016

If you completed the field extraction and saved it you can use the field in your searches.
Otherwise you could use it adding a command

rex "^(?:[^>\n]*>){4}(?P<TransID>\w+)"

and use it.
Bye.
Giuseppe

friscos · ‎09-22-2016

I have tried this but this retrieves all the events and not by transaction id.

index=main sourcetype=BANK_APPLOG |  rex "^(?:[^>\n]*>){4}(?P<TransID>\w+)"

How to include Field Extraction name in Splunk search?