topic How to extract token from HTTP header? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-token-from-HTTP-header/m-p/597745#M208142 <P>Hello Everyone,</P> <P>I have a set of data with a lot of HTTP requests, where I want to extract only the tokens highlighted below.&nbsp;</P> <P><SPAN class=""><SPAN class="">header=Authorization=Basic</SPAN></SPAN> <STRONG><SPAN class="">MmQyXXXXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk=</SPAN></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">2022-05-13 10:07:07,772 INFO [io.undertow.request.dump] (default task-13778) ----------------------------REQUEST--------------------------- URI=/auth/realms/Public/protocol/openid-connect/token characterEncoding=null contentLength=29 contentType=[application/x-www-form-urlencoded;charset=UTF-8] header=Accept=application/json, application/x-www-form-urlencoded header=Cache-Control=no-cache header=Pragma=no-cache header=User-Agent=Java/11.0.4 header=Connection=keep-alive header=Authorization=Basic MmQyXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk= header=Content-Type=application/x-www-form-urlencoded;charset=UTF-8 header=Content-Length=29</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I tried with the Field Extractor wizard, but with no luck.&nbsp;</P> <P>Can you please advise, how to achieve this?&nbsp;</P> Fri, 13 May 2022 16:14:00 GMT miberecz 2022-05-13T16:14:00Z How to extract token from HTTP header? https://community.splunk.com/t5/Splunk-Search/How-to-extract-token-from-HTTP-header/m-p/597745#M208142 <P>Hello Everyone,</P> <P>I have a set of data with a lot of HTTP requests, where I want to extract only the tokens highlighted below.&nbsp;</P> <P><SPAN class=""><SPAN class="">header=Authorization=Basic</SPAN></SPAN> <STRONG><SPAN class="">MmQyXXXXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk=</SPAN></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">2022-05-13 10:07:07,772 INFO [io.undertow.request.dump] (default task-13778) ----------------------------REQUEST--------------------------- URI=/auth/realms/Public/protocol/openid-connect/token characterEncoding=null contentLength=29 contentType=[application/x-www-form-urlencoded;charset=UTF-8] header=Accept=application/json, application/x-www-form-urlencoded header=Cache-Control=no-cache header=Pragma=no-cache header=User-Agent=Java/11.0.4 header=Connection=keep-alive header=Authorization=Basic MmQyXXXXXNDVjOTlkNTJlM2M0ZjA1MzVjYTI4ZGZkMzJmNTBlMjk= header=Content-Type=application/x-www-form-urlencoded;charset=UTF-8 header=Content-Length=29</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I tried with the Field Extractor wizard, but with no luck.&nbsp;</P> <P>Can you please advise, how to achieve this?&nbsp;</P> Fri, 13 May 2022 16:14:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-token-from-HTTP-header/m-p/597745#M208142 miberecz 2022-05-13T16:14:00Z Re: Extract token from HTTP header https://community.splunk.com/t5/Splunk-Search/How-to-extract-token-from-HTTP-header/m-p/597750#M208146 <P>Try something like this</P><LI-CODE lang="markup">| rex "header=Authorization=Basic\s(?&lt;auth&gt;\S*)"</LI-CODE> Fri, 13 May 2022 09:06:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-token-from-HTTP-header/m-p/597750#M208146 ITWhisperer 2022-05-13T09:06:57Z