I'm doing an extraction for Jsession ID's. I'm writing the regex myself and after previewing the events, it correctly captures 100% of what I need it to. Now after I save it and look for it in on the left in 'Fields', it's nowhere to be found. I also tried typing it into my search Jsession="*"
with no luck. I'm also open to suggestions if anyone can provide regex to capture the alphanumeric Jsession ID which always has 32 characters
There is < and > before and after the word jsession but this website won't show it in the code
Here's my regex
(?PJsession)([0-9A-Z]{32})
Hi skoelpin,
check if you get any event at all containing the raw data for the Jsession
field, as well check if you're maybe running search in fast mode
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype
.
cheers, MuS
Kindly share sample log
Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.
Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <
|(?P<Jsession> [0-9A-Z]{32})
Also this regular expression will work for Type 2 but not type 1
>(?P<RTG_Jsession>[0-9A-Z]{32})
Type 1:
<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery">FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>
Type 2:
<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotComOrder">991459AB3A668NA7ECB5FDB44B8DC111</Transac...>
Hi skoelpin,
check if you get any event at all containing the raw data for the Jsession
field, as well check if you're maybe running search in fast mode
http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Changethesearchmode which will not extract any other fields aside of the default ones such as host, source, and sourcetype
.
cheers, MuS
Thanks for the reply.. I currently have 2 different types of fields, I got the regex working for one type but I need an OR operator to get the other type.
Here's my current regular expression which works for type 1 but does not work for type 2. I need to have an OR operator somewhere in there so it can see | OR <
|(?P<Jsession> [0-9A-Z]{32})
Also this regular expression will work for Type 2 but not type 1
>(?P<RTG_Jsession>[0-9A-Z]{32})
Type 1:
<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotCom_Delivery">FromPDP|A50499428ZZB032F3BDCAF286EC38RNR...>
Type 2:
<TransactionID xmlns="http://schemas.datacontract.org/2004/07/DotComOrder">991459AB3A668NA7ECB5FDB44B8DC111</Transac...>
okay, try this:
>|<
This will match either > or | then the 32 times any alphanumeric and ends with a <
Tested and working on regex101.com
cheers, MuS
Works perfectly!! I was using regexr.com but I'm seeing regex101.com is much better. Thanks for your help!