Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to keep sender name with space in search result

avikc100
Path Finder
‎02-20-2024 05:25 PM

I am using Splunk Enterprise Version: 9.1.0.1.

my search query is :

index="webmethods_prd" source="/apps/webmethods/integrationserver/instances/default/logs/USCustomerEDI.log" InterfaceName=USCUSTOMERPO Status=Success OR Status=Failure | eval timestamp=strftime(_time, "%F")|chart limit=30 dc(TxID) over Sender_ID by timestamp

in result I am getting incomplete Sender_ID, splunk removed space from Sender_ID

avikc100_0-1708478589514.png


but actually it should be full name , like this :

avikc100_1-1708478644765.png

How can I preserve the full Sender_ID here?

 

Avik

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2024 03:34 AM

You have not shown how Sender_ID has been extracted. Having said that, you may need to re-extract it with a rex command, such as this:

| rex "Sender_ID=(?<Sender_ID>.+)\s Receiver_ID"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

avikc100
Path Finder
‎02-21-2024 12:22 PM

used rex "Receiver_ID =(?<Receiver_ID>.+)\s TxnType" and worked

0 Karma
Reply
Solved! Jump to solution

avikc100
Path Finder
‎02-21-2024 10:53 AM

Sender_ID is present in log line:

2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application for TxID=20240216095535623-0EEu Sender_ID=hC Bioscience Inc Receiver_ID=ThermoFisher Scientific TxnType=USCustomer_PO Format=cXML Direction=Inbound PO_Num=2550 Status=Success

 

avikc100_2-1708541547193.png

 

 

I have updated the query bit still space is truncated 


InterfaceName=USCUSTOMERPO Status=Success OR Status=Failure | eval timestamp=strftime(_time, "%F")|chart limit=30 dc(TxID) over Sender_ID by timestamp|rex "Sender_ID=(?<Sender_ID>.+)\s"

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2024 03:34 AM

You have not shown how Sender_ID has been extracted. Having said that, you may need to re-extract it with a rex command, such as this:

| rex "Sender_ID=(?<Sender_ID>.+)\s Receiver_ID"
0 Karma
Reply
Solved! Jump to solution

avikc100
Path Finder
‎02-21-2024 11:38 AM

Can you please help to extract Receiver_ID also, how should I regex it?

 

Receiver_ID ='Thermo Fisher Sci West Palm Beach' TxnType=

0 Karma
Reply
Solved! Jump to solution

avikc100
Path Finder
‎02-21-2024 05:15 AM

Sender_ID is present in logging:
as example: 
2024-02-16 09:55:41:829 EST| INFO |InterfaceName=USCUSTOMERPO POCanonical_JSONHttpDataProcess=END JSON data successfully processed to Order Processor application for TxID=20240216095535623-0EEu Sender_ID=hC Bioscience Inc Receiver_ID=ThermoFisher Scientific TxnType=USCustomer_PO Format=cXML Direction=Inbound PO_Num=2550 Status=Success

 



please help to form the query :
i tried this but still the issue persist

it is taking only 1st word from log line 

avikc100_1-1708521074880.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...