Splunk Search

How to write Field Extractions from Complex/inconsistence Event Structure

SplunkDash
Motivator

Hello, I have events with complex/inconsistence data structure. Need to extract field 2 values under 2 different fields. The regex I wrote is not working for all cases. My regex and sample events are given below. Any help will be appreciated. Thank you.

 

Regex I wrote:

^\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*\|\w*.\w*.\w*.\w*\|\w*\|(?P<CODE>\d*)\|\w*\|(?P<ERRORMSG>\w*)\| (working only for First and Last events)

 

Sample events:

4CODEREG|REGT|MEF|IFA|REMOVE||||1234567890|bUnXG_o0PbpgAY2Go6F6jWWh|105.103.110.91|SAAS_BFAF_AUDIT|00|00|||20220419074638|||||<TRANSACTIONDATA><StatusMessage>GTX Key 202210954371398 Removing file: /opt/mef/temp/Attachments/IN//K20220419074627.3410.37570.68836.46248.co1rprdljap1s0l</StatusMessage></TRANSACTIONDATA>

wse083affc-1|TESTCASE|GETTRANS|VIEW_TRANS|VIEWPDF||||670018015|aMTmD8BKoyxOkt7U6MuUIl-2|2600:1700:2ed0:f8ws0:7566:140b:f358:6d20|SAAS_BSAF_AUDIT|01||Exception thrown from TDS on pdf or||20220419091342|202012|30|1|0|1;VENF;

446ODEREG|REGT|MEF|IFA|REMOVE||||1234567890|bUnXG_o0PbpgAY2Go6F6jWWh|104.103.110.90|SAAS_BFAF_AUDIT|01|00|Error||20220419074638|||||<TRANSACTIONDATA><StatusMessage>GTX Key 202210954371398 Removing file: /opt/mef/temp/Attachments/IN//K20220419074627.3410.37570.68836.46248.co1rprdljap1s0l</StatusMessage></TRANSACTIONDATA>

 

NOTE: First event doesn't have any values for ERRORMSG  (High Lights are values)

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
^[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|(?P<CODE>\d*)\|[^\|]*\|(?P<ERRORMSG>[^\|]*)\|

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
^[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|[^\|]*\|(?P<CODE>\d*)\|[^\|]*\|(?P<ERRORMSG>[^\|]*)\|
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...