Extract this specific pattern using regEx ( "message":"TransactionRefNo =====> 37010072") from splunk events using query?

Question

Below is the splunk event:

,"class":"com.tmobile.supplychain.inventoryreceive.service.impl.ReceiveNotificationServiceImpl","sessionid":"41870177","requesttimestamp":"2019-11-20T07:18:04Z","message":"TransactionRefNo =====> 37010072 CassandraGemfireWriteException in insertReceiveNotification RMA-105 | Error occurred while persisting receivenotification payload into Cassandra DB - Receive Notification.

I am trying to capture the Transref numbers for all the events in a splunk using regex. I am using this below query but it's not working.

(index=scs_det sourcetype=scs_det_apps cf_org_name="retail-inventory-serialization" cf_space_name=production cf_app_name="*" cf_app_name="soa-receive-service" "RMA-105" 
| rex field=_raw "transactionRefNo:(?<transaction_ref_no>\d+)" 
| table _time transaction_ref_no 

index=scs_det sourcetype=scs_det_apps cf_org_name="retail-inventory-serialization" cf_space_name=production cf_app_name="*" cf_app_name="soa-receive-service" "RMA-105" 
| rex field=_raw "message:(?<transaction_ref_no>\w+)" 
| table _time transaction_ref_no 

index=scs_det sourcetype=scs_det_apps cf_org_name="retail-inventory-serialization" cf_space_name=production cf_app_name="*" cf_app_name="soa-receive-service" "RMA-105" 
| rex field=_raw "message:(?<Message:^.................................$>) " 
| table _time Message 

All are not working. Could you please some one help me how do i capture the trasref numbers using regex.

Answer 1

rex field=_raw "TransactionRefNo =====> (?<transactionRefNo>\d+)"

Will there always be the 5 = symbols in the message? If it changes, you can try

rex field=_raw "TransactionRefNo =+> (?<transactionRefNo>\d+)"