Splunk regex field

amandahaydaw199 · ‎03-30-2019

I am trying to regex correlation Id's, that will be having a different unique number in every transaction. I am using below query but it's not fetching correct value (Correlation ID ),

Splunk query : timeformat="%d/%m/%Y %H:%M:%S" earliest="28/03/2019 15:38:08" latest="28/03/2019 18:08:08" host="splunk-max-tk.global.com.local:9090" "correlationid_test1234" "request flow lambda starts" OR "response flow lambda ends" | rex field=_raw "2019*(?.*?)" | where isnotnull(correlationId) | transaction correlationId startsWith="request flow lambda starts" endsWith="response flow lambda ends" | dedup correlationId

Splunk LOGS : 28/03/2019 18:08:03.748

2019-03-28T18:08:03.748402+11:00 [correlationid_test1234hfkfhsfkfsjhfjlsdhfjl] INFO [init.py 187] request flow lambda starts

2019-03-28T18:08:05.129540+11:00 [correlationid_test1234hfkfhsfkfsjhfjlsdhfjl] INFO [init.py 187] response flow lambda ends

woodcock · ‎03-31-2019

Like this:

... | rex "\[correlationid_(?<correlationid>[^\]]+)"

richgalloway · ‎03-30-2019

You can get the correlation ID with this regex: "correlationid_(?[^]]+".
Also, since correlation IDs are unique there should be no need for dedup correlationId.

---
If this reply helps you, Karma would be appreciated.

Splunk regex field

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Splunk regex field

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk