Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract two different field values into one field using regex

man03359
Communicator
‎06-30-2023 03:45 AM

Hi All,

I am fairly new to Splunk and I have bit of a challenge in front of me which I am not able to resolve. I have the following event -

30/06/2023 12:23:15 (01) >> AdyenProxy::AdyenPaymentResponse::ProcessPaymentFailure::Additional response -> Message : 102 Shopper cancelled pin entry ; Refusal Reason : 102 Shopper cancelled pin entry

I am using the regex "rex field=_raw "AdyenPaymentResponse:.+\sReason\s:\s(?<Failure_Message>.+)" to extract the error message using refusal reason as the keyword as for some places the error printing under Message is irrelevant. But the problem I am facing is at some of the events the Refusal Reason field is empty and I have to capture the field value under Message eg --

"30/06/2023 12:18:39 (01) >> AdyenProxy::AdyenPaymentResponse::ProcessPaymentFailure::Additional response -> Message : MAINTENANCE ; Refusal Reason : "

I am trying to extract all the error messages under one field called Failure_Message.  Or to capture the Message part under same extracted field when Refusal Reason is empty. Is it possible ?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 04:09 AM

Hi

you need just to replace on rex the last + to * like 

index=_audit
| head 1
| eval _raw="30/06/2023 12:23:15 (01) >> AdyenProxy::AdyenPaymentResponse::ProcessPaymentFailure::Additional response -> Message : 102 Shopper cancelled pin entry ; Refusal Reason : 102 Shopper cancelled pin entry
30/06/2023 12:18:39 (01) >> AdyenProxy::AdyenPaymentResponse::ProcessPaymentFailure::Additional response -> Message : MAINTENANCE ; Refusal Reason : "
| multikv noheader=t
``` above creates test data ```
| rex "AdyenPaymentResponse:.+\sReason\s:\s(?<Failure_Message>.*)"

as my example shows.

r. Ismo 

BTW: Using "index=_audit | head 1" instead of "| makeresults" you will get "Selected and Interesting Fields" on left side panel 😉

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-30-2023 04:09 AM

Hi

you need just to replace on rex the last + to * like 

index=_audit
| head 1
| eval _raw="30/06/2023 12:23:15 (01) >> AdyenProxy::AdyenPaymentResponse::ProcessPaymentFailure::Additional response -> Message : 102 Shopper cancelled pin entry ; Refusal Reason : 102 Shopper cancelled pin entry
30/06/2023 12:18:39 (01) >> AdyenProxy::AdyenPaymentResponse::ProcessPaymentFailure::Additional response -> Message : MAINTENANCE ; Refusal Reason : "
| multikv noheader=t
``` above creates test data ```
| rex "AdyenPaymentResponse:.+\sReason\s:\s(?<Failure_Message>.*)"

as my example shows.

r. Ismo 

BTW: Using "index=_audit | head 1" instead of "| makeresults" you will get "Selected and Interesting Fields" on left side panel 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...