×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
mattt
Engager
Member since: ‎05-13-2025
‎03-05-2026
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-13-2025
View All

Re: Splunk Fields Extraction - Open telemetry Coll...

by in Splunk Enterprise
‎05-22-2025 09:01 AM
‎05-22-2025 09:01 AM
Hi @livehybrid  sorry for the late response. Unfortunately, the answer you provided does not work. Still no extraction and same behaviour. Can you help me split and create the correct splunk field? Thanks in advance, Matt ... View more

Splunk Fields Extraction - Open telemetry Collecto...

by in Splunk Enterprise
‎05-13-2025 07:13 AM
‎05-13-2025 07:13 AM
Good morning, I’m experiencing an issue with the following log: 15:41:41,341 2025-05-13 15:41:41,340 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) requestId=31365aee-0e03-43bc-9ccd-fd465aa7a4ca Request: GET http://something.com/something/else Headers[Accept=application/json If-Modified-Since=Tue, 13 May 2025 04:00:27 GMT User-Agent=Quarkus REST Client], Empty body 2025-05-13 15:41:39,970 DEBUG [org.jbo.res.rea.cli.log.DefaultClientLogger] (vert.x-eventloop-thread-1) requestId=95a1a839-2967-4ab8-8302-f5480106adb6 Response: GET http://something.com/something/else, Status[304 Not Modified], Headers[access-control-allow-credentials=true access-control-allow-headers=content-type, accept, authorization, cache-control, pragma access-control-allow-methods=OPTIONS,HEAD,POST,GET access-control-allow-origin=* cache-control=no-cache server-timing=intid;desc=4e7d2996fd2b9cc9 set-cookie=d81b2a11fe1ca01805243b5777a6e906=abae4222185903c47a832e0c67618490; path=/; HttpOnly] A bit of context that may be relevant: these logs are shipped using Splunk OTEL collectors. In the _raw logs, I see the following field values: Field Value requestID 95a1a839-2967-4ab8-8302-f5480106adb6 Response: GET http://something.com/something/else requestID requestId=31365aee-0e03-43bc-9ccd-fd465aa7a4ca Request: GET http://something.com/something/else   What I want is for the requestID, and the Request or Response parts to be extracted into separate fields. I’ve already added the following to my props.conf: [sourcetype*] EXTRACT-requestId = requestId=(?<field_request>[a-f0-9\-]+) EXTRACT-Response = Response:\s(?<field_response>([A-Z]+)\s([^\s,]+(?:[^\r\n]+))) EXTRACT-Request = Request:\s(?<field_request>([A-Z]+)\s([^\s,]+(?:[^\r\n]+))) I verified on regex101 that the regex matches correctly, but it's not working in Splunk. Could the issue be that the log show Response: instead of Response= and Splunk doesn’t treat it as a proper field delimiter? Unfortunately, I’m unable to modify the source lo What else can I check? Do I need to modify the .yml configuration for the Splunk OTEL collector, or should I stick to using props.conf and transforms.conf?   Thank you in advance, Best Regards. Matteo ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-05-2026 12:59 AM
Karma given to
View All