Splunk - Use a general statement/regex in transaction endswith

Question

I want to find transaction that ends with a particular sentence.

"BAU Process for job job_id has completed in time time_taken"

But there are other sub-processes in the BAU process have a similar wording so I can't use the string BAU Process for job in the endswith clause. Here are some examples:

"BAU Process for job job_id - Started sub-process A"
"BAU Process for job job_id - Completed sub-process A"
"BAU Process for job job_id - Started sub-process B"
"BAU Process for job job_id - Completed sub-process B"

I need a string for the endswith clause, something like "BAU Process for job %d has completed in time %f". I am not very familiar with Splunk, I have tried Googling but can't seem to hit the correct answers/posts, appreciate anyone that can guide me.

Update

I am able to derive this

| transaction id_A id_B startswith="BAU process starts for id_A" endswith=eval(match(_raw, ".*BAU process for id_A: \d+ : id_B : \d+(has completed in time| failed).*"))

but none of the logs are matching

Here's an example of what the logs look like:

BAU process for id_A: 1518973 : id_B : 61has completed in time : 1234

Note: Yes there isn't a space between id_B & the word "has"

Can someone help me debug my endswith regex statement?

Answer 1

Okay got it! The query I wrote was correct, turns out that the query wasn't returning results because id_B was not present in some of the logs hence the mismatch of number of events returned

| transaction id_A id_B startswith="BAU process starts for id_A" endswith=eval(match(_raw, ".*BAU process for id_A: \d+ : id_B : \d+(has completed in time| failed).*"))