Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with regex

sbhatnagar88
Path Finder
‎11-23-2021 11:05 PM

Can some one help me to extract correlation _id from the below sample data.

requirement is to extract the correlation_id into a field.

 

ys_class_name="Incident",closed_by="",dv_closed_by="",follow_up="",dv_follow_up="",parent_incident="",dv_parent_incident="",reopened_by="",dv_reopened_by="",reassignment_count="1",dv_reassignment_count="1",assigned_to="c8c62ea2db51f090439694d3f39619dc",dv_assigned_to="pusapati dixitulu",u_reopening_reason="",dv_u_reopening_reason="None",sla_due="",dv_sla_due="UNKNOWN",comments_and_work_notes="",u_transfer_between_users="",dv_u_transfer_between_users="",agile_story="",dv_agile_story="",escalation="0",dv_escalation="Normal",upon_approval="proceed",dv_upon_approval="Proceed to Next Task",correlation_id="f725d663-7c62-4f50-82b1-1483df23562e",dv_correlation_id="f725d663-7c62-4f50-82b1-1483df23562e",u_business_area="",dv_u_business_area="None",u_plb="",dv_u_plb="None",u_division="",dv_u_division="",u_bu_code="",dv_u_bu_code="",u_is_escalated="false",dv_u_is_escalated="false",child_incidents="0",dv_child_incidents="0",task_effective_number="INC4750863",dv_task_effective_number="INC4750863",u_last_assignment="2021-11-24 05:49:28",dv_u_last_assignment="2021-11-24 06:49:28",resolved_by="",dv_resolved_by

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 12:24 AM 
| rex ",correlation_id=\"(?<correlation_id>[^\"]+)\""

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2021 12:24 AM 
| rex ",correlation_id=\"(?<correlation_id>[^\"]+)\""
0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎11-24-2021 12:23 AM

Hi @sbhatnagar88 

try like this

| rex field=_raw "\,correlation_id=\"(?<correlation_id>[^ "]+)"

anyway with this log you can extract all the fields with the key-value extraction,  that's more easier to extract fields.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

sbhatnagar88
Path Finder
‎11-29-2021 12:10 AM

Thanks but looks like it has some syntax issues.

0 Karma
Reply
Related Topics
I need help with regex?
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
OSZAR »