topic Splunk Rex query to extract field after a particular exact word only in Splunk Search

Splunk Rex query to extract field after a particular exact word only

jonthree — Mon, 15 Mar 2021 14:15:23 GMT

So this is my sample data :

10.3.31.252 - - 15/Mar/2021:14:06:28 +0000 "POST /usenames/rest/sessionscookie dest oamdashboard-oamdashboard.myapp.com/usenames/rest/sessionscookie location usenames upstream_host 10.3.58.247:80 response_from_above 401 user- - - - - myuser myuser 1

I want to extract the status code from this string (which is 401) and user value which is myuser (BOLD sentence mentioned in above logs)

How should i write a rex for this in splunk search query ? Also it may happen that status code does not contain any value and instead of 401, value will be simply hyphen(-).

Also, hyphens after user field may vary and i want exactly 5 hyphens to match the word, otherwise not.

I tried to achieve this by using following:

| rex "response_from_above (?<status>\d+) user - - - - - (?<userid>\w+)" but i am not able to figure this out.

Re: Splunk Rex query to extract field after a particular exact word only

Vardhan — Mon, 15 Mar 2021 14:23:19 GMT

Hi,

use the below regex.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d"

Re: Splunk Rex query to extract field after a particular exact word only

jonthree — Wed, 17 Mar 2021 05:52:43 GMT

Thanks. Also, how do i search for a particular status on this ..like if i want to search the logs having 401 status code only and not with status code 200 or 500 ?

Re: Splunk Rex query to extract field after a particular exact word only

Vardhan — Wed, 17 Mar 2021 05:59:43 GMT

Hi @jonthree,

You can search the status logs using search command.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401

This search will only return status 401 logs.

If this answer helps you then up vote it.