What field is being matched on?

DFresh4130 — Fri, 06 Jun 2014 18:44:50 GMT

I'm running the below splunk search and am getting some confusing results.

sourcetype=access_combined POST | rex field=_raw "(?P<response_time>\d([0-9]{5,5}))" | stats count, min(response_time),max(response_time),avg(response_time),median(response_time),stdev(response_time) by host

Below are some of the returned results:

192.168.254.2|-|-|[06/Jun/2014:12:13:03 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2802350
192.168.254.2|-|-|[06/Jun/2014:12:13:03 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2473207
192.168.254.2|-|-|[06/Jun/2014:12:13:02 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3438605
192.168.254.2|-|-|[06/Jun/2014:12:12:46 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|5334750
192.168.254.2|-|-|[06/Jun/2014:12:12:44 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|13049640

Based on the rex I should only be getting results where the field is a 5 digit only character field. Looking at the results I'm not seeing any 5 character digit only fields. Last field is the apache response time in microseconds so that's what I'm going for. Only thing I can think of is it's somehow matching on the date field, but there are special characters in between so I'm not sure how that's possible.

Re: What field is being matched on?

richgalloway — Fri, 06 Jun 2014 18:58:32 GMT

I believe you are matching the right field, but not the way you expected. Try this regex string:

(?P<response_time>\|\d([0-9]{5,5}$))

It should find events with only 5 digits at the end following a pipe.

topic What field is being matched on? in All Apps and Add-ons

What field is being matched on?

Re: What field is being matched on?