Hi ,

I am trying to extract info from the _raw result of my Splunk query. Currently my _raw result is:

_raw="ServiceOperation=Hudson_RetrivePatientNot|Broker_HostName=CHELSEA|RequestDateTime=20190113T03:02:18.209400|MessageTranID=**8bfa95c4170911e9b1740a099a2b0000**|UserID=A123|AppID=AERO|ExecGrpName=xxxxxx|TimeStamp=2019-01-13T03:02:28.364605|Message="RetrievePatientFailure"|Detail="RetreivePatientNotes""

I would like to extract the MessageTranID, which in this case is '8bfa95c4-1709-11e9-b174-0a099a2b0000', from the above _raw string.

Something like : base search | regex

Can anyone help?

Thanks so much!