Extract raw data for URL into field

nbhat — Fri, 21 Jan 2022 08:58:17 GMT

Hi,

In the following log, I wanted to extract Url, Method, ResponseTimeMs, StatusCode as a table:

log: a_level="INFO", a_time="null", a_sub="xxx", a_uid="xx", a_tid="xx", a_rid="guid", a_thread="175" a_type="type", a_met="Move", a_msg="Method=GET,Uri=http://monolith-xxx.abc.com/v2/clients?skip=0top=100,MediaType=null,RemoteIP=::ffff:10.10.10.10,XRemoteIP=null,ContentType=application/json,ContentLength=9702,ResponseTimeMs=54,StatusCode=200,ReasonPhrase=null,Referrer=null

For URL, I wanted the full extract "http://monolith-xxx.abc-xyz/v2/clients?skip=0top=100"

My current splunk query is as below:

index=aws_abc env=prd-01 uri Method StatusCode ResponseTimeMs
| eval DataSet=log
| rex field=DataSet "ResponseTimeMs=(?<ResponseTimeMs>\d+),StatusCode=(?<StatusCode>\d+)"
| rex field=DataSet "Url=(?<uri>[^,]+),Method=(?<Method>\w+)"
| table Url,Method,ResponseTimeMs, StatusCode

I get value in the table for ResponseTimeMs, StatusCode but not for URL and Method. Please help. Thanks

Re: Extract raw data for URL into field

johnhuang — Fri, 21 Jan 2022 09:31:27 GMT

Not sure if there's typos in the example you've provided, the string after "a_msg" seems inconsistent with previous format.

Anyways, this was written have some flexibilty in accomodating possible typos your event example.

| rex field=DataSet "\"?Method\"?\=(?<Method>[^,]*)\,Uri=(?<uri>[^\,]+)"

Re: Extract raw data for URL into field

nbhat — Fri, 21 Jan 2022 13:47:33 GMT

Thank you very much

topic Extract raw data for URL into field in Splunk Search

Extract raw data for URL into field

Re: Extract raw data for URL into field

Re: Extract raw data for URL into field