Splunk Search

Retrieve TransactionId from the following string through regex

JyotiP
Path Finder

Wanted to retrieve the transaction id from the given string

Level="ERROR", Date="2019-03-25 23:02:59,600", Message="Recevied terminaion signal from client. Closing connection.", JobType="Request", TimeSpan="50012", URL="http://test:8001/api/test/v2/placeorder", ActivityId="067725a6-e17a-4f86-8e14-a1e55c44148e", Header="{"Authorization":"*****","TransactionId":"6d80741d-d07d-4313-acf5-569d6ebec3c6","X-Request-Id":"067725a6-e17a-4f86-8e14-a1e55c44148e"}", Product="TestOrderData", Stack="Order-data", Service="Test", AppDomain="Order-data_Test"

tried with

rex field=Header Transaction=("TransactionId":"*) | table Transaction
rex field=Header "TransactionId\":\"(?<TransactionId>\w+)\"" | table TransactionId

But none of them are working

Tags (2)
0 Karma
1 Solution

DMohn
Motivator

Is your "Header" field extracted correctly?

If you use rex field=_raw "TransactionId\":\"(?<TransactionId>[^\"]+)\"" | table TransactionId you should get the desired results. Please keep in mind, that \w does only cover word charakters, which don't include the hyphen. So either use [\w-] or use the negated quotation [^\"].

View solution in original post

0 Karma

DMohn
Motivator

Is your "Header" field extracted correctly?

If you use rex field=_raw "TransactionId\":\"(?<TransactionId>[^\"]+)\"" | table TransactionId you should get the desired results. Please keep in mind, that \w does only cover word charakters, which don't include the hyphen. So either use [\w-] or use the negated quotation [^\"].

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!