Splunk Search

Retrieve TransactionId from the following string through regex

JyotiP
Path Finder

Wanted to retrieve the transaction id from the given string

Level="ERROR", Date="2019-03-25 23:02:59,600", Message="Recevied terminaion signal from client. Closing connection.", JobType="Request", TimeSpan="50012", URL="http://test:8001/api/test/v2/placeorder", ActivityId="067725a6-e17a-4f86-8e14-a1e55c44148e", Header="{"Authorization":"*****","TransactionId":"6d80741d-d07d-4313-acf5-569d6ebec3c6","X-Request-Id":"067725a6-e17a-4f86-8e14-a1e55c44148e"}", Product="TestOrderData", Stack="Order-data", Service="Test", AppDomain="Order-data_Test"

tried with

rex field=Header Transaction=("TransactionId":"*) | table Transaction
rex field=Header "TransactionId\":\"(?<TransactionId>\w+)\"" | table TransactionId

But none of them are working

Tags (2)
0 Karma
1 Solution

DMohn
Motivator

Is your "Header" field extracted correctly?

If you use rex field=_raw "TransactionId\":\"(?<TransactionId>[^\"]+)\"" | table TransactionId you should get the desired results. Please keep in mind, that \w does only cover word charakters, which don't include the hyphen. So either use [\w-] or use the negated quotation [^\"].

View solution in original post

0 Karma

DMohn
Motivator

Is your "Header" field extracted correctly?

If you use rex field=_raw "TransactionId\":\"(?<TransactionId>[^\"]+)\"" | table TransactionId you should get the desired results. Please keep in mind, that \w does only cover word charakters, which don't include the hyphen. So either use [\w-] or use the negated quotation [^\"].

0 Karma
Get Updates on the Splunk Community!

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering. Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...