topic Re: Need Regex to extract the fields in Splunk Enterprise

How to create regex to extract the fields

pchintha — Thu, 24 Mar 2022 04:05:39 GMT

From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com

Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com

Need the regular expression for this.

Re: Need Regex to extract the fields

pchintha — Thu, 24 Mar 2022 02:24:19 GMT

@isoutamo hi i need your help for a regex to get the fields

Re: How to create regex to extract the fields

ITWhisperer — Thu, 24 Mar 2022 06:13:45 GMT

| rex field=result "/(?<status>\d+)" | rex field=url "http://(?<url>[^/ ]+)"

Re: How to create regex to extract the fields

pchintha — Thu, 24 Mar 2022 08:33:59 GMT

@ITWhisperer i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.

Re: How to create regex to extract the fields

venky1544 — Thu, 24 Mar 2022 09:47:09 GMT

Hi @pchintha

quick question before the regex

is the status code always prefixed with NONE

and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com

if yes

NONE\/(?<url>[a-z.]+)

NONE\/(?<status>\d+)

above are individual regex and below is one single regex if NONE is always preceded before URL and status

NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)

---------------------

Hope this helps

If you find the answer helpful please accept the solution also karma is appreciated

Re: How to create regex to extract the fields

pchintha — Thu, 24 Mar 2022 10:09:52 GMT

@venky1544 thanks for your help, but i need only the output is

status=504 not to be like status=/504

url=wpad.example.com not to be like url=http://wpad.example.com

Here we are separating the http:// only we are not checking the NONE things in the url field

Re: Need Regex to extract the fields

pchintha — Thu, 24 Mar 2022 11:53:51 GMT

any luck from anyone.

Re: How to create regex to extract the fields

venky1544 — Thu, 24 Mar 2022 12:02:12 GMT

Hi @pchintha

what do you mean by /504 and url=http://wpad.example.com

clearly the regex is extracting 504 and not /504 and wpad.example.com

Please check the screenshot there is nothing wrong with the reg ex

it seems you are doing something in correct in splunk while implementing the regex

please share your complete splunk query how you are executing it

Re: How to create regex to extract the fields

diogofgm — Thu, 24 Mar 2022 12:54:58 GMT

there errors you are getting there its because in regex101 you need to escape the "/" like "\/"