index=myIndex container_name="abc-mno-pqr" "body='{headers: {z-gip: "
For this splunk query I am getting events like below
[a43597-etg675-67erty3-ju87y5-0po789] | 2023-10-17 06:39:17.593 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label="PAYLOAD", metadata={source=xyz, id=abc}, body='{headers: {z-gip: BGHTTYU45, content-type:application/json}}
[b73597-o9g675-yherty3-ju87y5-0po789] | 2023-10-17 05:23:12.854 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label="PAYLOAD", metadata={source=xyz, id=abc}, body='{headers: {z-gip: GYTHRESS, content-type:application/json}}
[bn3597-mng675-67ert56-ju87y5-0po789] | 2023-10-17 04:08:45.125 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label="PAYLOAD", metadata={source=xyz, id=abc}, body='{headers: {z-gip: NJU87TGF, content-type:application/json}}
I need to write a splunk query which will give list of transaction IDs along with corresponding gip values like below
| TransactionId | Gip |
|---|---|
| a43597-etg675-67erty3-ju87y5-0po789 | BGHTTYU45 |
| b73597-o9g675-yherty3-ju87y5-0po789 | GYTHRESS |
| bn3597-mng675-67ert56-ju87y5-0po789 | NJU87TGF |
I tried with some regular expressions but none of them worked
| makeresults | eval _raw="[a43597-etg675-67erty3-ju87y5-0po789] | 2023-10-17 06:39:17.593 [pool-2-thread-26] INFO com.example.event.SampleClasss - Payload {label=\"PAYLOAD\", metadata={source=xyz, id=abc}, body='{headers: {z-gip: BGHTTYU45, content-type:application/json}}"
| rex field=_raw "^\[(?<TransactionId>[^\]]+)"
| rex field=_raw "z-gip:\s+(?<Gip>[^,]+)"
| table TransactionId,Gip
This will result in:
TransactionId Gip
a43597-etg675-67erty3-ju87y5-0po789 BGHTTYU45
You can either use the rex command or Settings > Fields > Field extractions.