Solved: Extract field with multi-values, is using an "OR" ...

kmccowen · ‎07-17-2015

the errors messages in my logs have different formatting so I'm wondering if there is a way to combine the below two queries with an "OR" statement during my extraction. Is this possible or is there any other ideas that would be better?

query 1)

-\w{9}\s:\s(?P<pay_fail_rsn>.+)

[2015-07-17T08:16:18.406-05:00] [gw_server12] [NOTIFICATION] [] [com.charter.care.customer.view.payments.backing.PaymentsManager] [tid: [ACTIVE].ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: dpalmore] [ecid: c6e22fa0-0a11-4641-8c00-9abd11a6b8ec-0004101c,0] [APP: chtrgwy] 2015-07-17 08:16:18.406 - PAYMENT REQUEST FAILED - EFT payments - 4DK - 8245124990214484 - 152.61 -EXCEPTION : MBC50E-RC=R08,PAYMENT STOPPED - 9977

"OR statement"

query 2)

-\s\w{9}\s:\s(?P<pay_fail_rsn>.+) for below

[2015-07-17T08:17:10.639-05:00] [gw_server12] [NOTIFICATION] [] [com.charter.care.customer.view.payments.backing.PaymentsManager] [tid: [ACTIVE].ExecuteThread: '21' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: bbarrett] [ecid: c6e22fa0-0a11-4641-8c00-9abd11a6b8ec-000410c2,0] [APP: chtrgwy] 2015-07-17 08:17:10.639 - PAYMENT REQUEST FAILED - CC payments - 2T2 - 8351100660591807 - 90.58 - EXCEPTION : Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number - - 5018

woodcock · ‎07-17-2015

This one RegEx will work for both cases:

-\s*\w{9}\s:\s(?P<pay_fail_rsn>.+)

View solution in original post

woodcock · ‎07-17-2015

This one RegEx will work for both cases:

-\s*\w{9}\s:\s(?P<pay_fail_rsn>.+)

Extract field with multi-values, is using an "OR" operator with two queries possible?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!