Solved: Extract field with multi-values, is using an "OR" ...

kmccowen · ‎07-17-2015

the errors messages in my logs have different formatting so I'm wondering if there is a way to combine the below two queries with an "OR" statement during my extraction. Is this possible or is there any other ideas that would be better?

query 1)

-\w{9}\s:\s(?P<pay_fail_rsn>.+)

[2015-07-17T08:16:18.406-05:00] [gw_server12] [NOTIFICATION] [] [com.charter.care.customer.view.payments.backing.PaymentsManager] [tid: [ACTIVE].ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: dpalmore] [ecid: c6e22fa0-0a11-4641-8c00-9abd11a6b8ec-0004101c,0] [APP: chtrgwy] 2015-07-17 08:16:18.406 - PAYMENT REQUEST FAILED - EFT payments - 4DK - 8245124990214484 - 152.61 -EXCEPTION : MBC50E-RC=R08,PAYMENT STOPPED - 9977

"OR statement"

query 2)

-\s\w{9}\s:\s(?P<pay_fail_rsn>.+) for below

[2015-07-17T08:17:10.639-05:00] [gw_server12] [NOTIFICATION] [] [com.charter.care.customer.view.payments.backing.PaymentsManager] [tid: [ACTIVE].ExecuteThread: '21' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: bbarrett] [ecid: c6e22fa0-0a11-4641-8c00-9abd11a6b8ec-000410c2,0] [APP: chtrgwy] 2015-07-17 08:17:10.639 - PAYMENT REQUEST FAILED - CC payments - 2T2 - 8351100660591807 - 90.58 - EXCEPTION : Good response-check reject rsn - Rejected Reason - 2 - Invalid cardholder number - - 5018

woodcock · ‎07-17-2015

This one RegEx will work for both cases:

-\s*\w{9}\s:\s(?P<pay_fail_rsn>.+)

View solution in original post

woodcock · ‎07-17-2015

This one RegEx will work for both cases:

-\s*\w{9}\s:\s(?P<pay_fail_rsn>.+)

Extract field with multi-values, is using an "OR" operator with two queries possible?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!