Solved: Need to extract JSESSIONID from result

rh417692 · ‎05-16-2017

Query: index="prod" "Null Pointer Exception"
Result: Key: value, key; value, JSESSIONID:123456.ATG.PROD, key: value

How do I extract only the JSESSIONID from the result?

somesoni2 · ‎05-16-2017

Try this

index="prod" "Null Pointer Exception" | rex "JSESSIONID\:(?<JSESSIONID>[^\.]+)"

View solution in original post

somesoni2 · ‎05-16-2017

Try this

index="prod" "Null Pointer Exception" | rex "JSESSIONID\:(?<JSESSIONID>[^\.]+)"

rh417692 · ‎05-16-2017

Is there a way to capture unique JSESSIONID values?

somesoni2 · ‎05-16-2017

Do you mean your search result should show one event per JSESSIONID? If yes, then use like this

index="prod" "Null Pointer Exception" | rex "JSESSIONID\:(?<JSESSIONID>[^\.]+)" | dedup JSESSIONID

rh417692 · ‎05-16-2017

The 'dedup JSESSIONID' got me unique JSESSIONID values. Thank you @somesoni2 !

rh417692 · ‎05-16-2017

Do you mind explaining this part please: "JSESSIONID:(?[^.]+)" ? Does it mean to capture the value after the colon? If yes, and if there was a space after colon, would it have captured that too? How would you ignore the space after the colon?

somesoni2 · ‎05-16-2017

It's basically everything between JSESSIONID: and first occurance of dot. It would capture that space as well. To ignore that try this. This will ignore space if present after colon (0 or more occurance of space)

| rex "JSESSIONID\:\s*(?<JSESSIONID>[^\.]+)"

Need to extract JSESSIONID from result

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!