TxnProcess I >>>>>>>>> TransactionTypeCode for TxnId 3501574041788 is ABC
TxnProcess I >>>>>>>>> TransactionTypeCode for TxnId 3501689567745 is XYZ
TxnProcess I >>>>>>>>> TransactionTypeCode for TxnId 3501689456789 is PNR
Need help to get the Splunk report in below format based on above inputs where values (TransactionTypeCode & TxnId ) are dynamic in nature:
ABC 3501574041788
XYZ 3501689567745
PNR 3501689456789
Here's one way, but I'm sure there are many others.
<your base search> | rex "TxnId (?<TxnId>\d+) is (?<TransactionTypeCode>\w+)" | table TransactionTypeCode TxnId
Here's one way, but I'm sure there are many others.
<your base search> | rex "TxnId (?<TxnId>\d+) is (?<TransactionTypeCode>\w+)" | table TransactionTypeCode TxnId
Thank you so much Rich,
It works perfectly . Just out of curiosity what w+ stand for (I have just started rex uses in Splunk)
Also ill it be easy way to get below o/p from given I/P. Appreciate your help
Input:
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = EMAIL
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = SMS
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = VOICE
Notification Type TypeCode
MQ EMAIL
MQ SMS
MQ VOICE
\w+
means "at least one word character". A word character is any alphanumeric character (a-zA-Z0-9) or underscore (_).
A good resource for regular expressions is regex101.com.
OK. This helps a lot .
For below input I tried search query as
index=myindex "Notification"|rex "(MQ) (?\d+) = (?\w+)"|stats count(Notification)
However, its not working says "no result found". The moment I take off ==> stats count(Notification)
it shows values
Input:
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = EMAIL
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = SMS
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = VOICE