Wanted to retrieve the transaction id from the given string
Level="ERROR", Date="2019-03-25 23:02:59,600", Message="Recevied terminaion signal from client. Closing connection.", JobType="Request", TimeSpan="50012", URL="http://test:8001/api/test/v2/placeorder", ActivityId="067725a6-e17a-4f86-8e14-a1e55c44148e", Header="{"Authorization":"*****","TransactionId":"6d80741d-d07d-4313-acf5-569d6ebec3c6","X-Request-Id":"067725a6-e17a-4f86-8e14-a1e55c44148e"}", Product="TestOrderData", Stack="Order-data", Service="Test", AppDomain="Order-data_Test"
tried with
rex field=Header Transaction=("TransactionId":"*) | table Transaction
rex field=Header "TransactionId\":\"(?<TransactionId>\w+)\"" | table TransactionId
But none of them are working
Is your "Header" field extracted correctly?
If you use rex field=_raw "TransactionId\":\"(?<TransactionId>[^\"]+)\"" | table TransactionId
you should get the desired results. Please keep in mind, that \w
does only cover word charakters, which don't include the hyphen. So either use [\w-] or use the negated quotation [^\"].
Is your "Header" field extracted correctly?
If you use rex field=_raw "TransactionId\":\"(?<TransactionId>[^\"]+)\"" | table TransactionId
you should get the desired results. Please keep in mind, that \w
does only cover word charakters, which don't include the hyphen. So either use [\w-] or use the negated quotation [^\"].