topic Re: REX - extract second field between quotes in Splunk Search

How to extract second field between quotes and add url?

Mick_OBrien — Wed, 07 Sep 2022 15:52:05 GMT

I have logs of the format...

2022-09-07T01:42:06.321624+00:00 micro.service 2867ce23-bdfd-48eb-ba5a-40e1e8a93987[[APP/PROC/WEB/0]] 159.203.190.66, 100.64.144.3 - - - [07/Sep/2022:01:42:06 +0000] "GET url HTTP/1.1" 404 125

...and I want to extract a count of missing URLs by microservice. I can get a count of microservice using...

index=myIndex "404 125" | rex "^\S+\s(?<microService>\S+).*" | bucket _time span=day | stats count by microService

...but I would like to know how to add the url

Any help appreciated

Re: REX - extract second field between quotes

gcusello — Wed, 07 Sep 2022 08:25:58 GMT

Hi @Mick_OBrien,

let me understand: in your sample you want to extract: "micro.service" and "APP/PROC/WEB/0", is it correct?

If this is your need, please try this:

| rex "^\S+\s(?<microService>\S+).*.\[\[(?<url>[^\]]+)"

that you can test at https://regex101.com/r/HFgP6J/1

Ciao.

Giuseppe

Re: REX - extract second field between quotes

Mick_OBrien — Wed, 07 Sep 2022 08:30:20 GMT

Hi @gcusello

Thanks for reply but I want to extract the url after the GET

Mick

Re: REX - extract second field between quotes

gcusello — Wed, 07 Sep 2022 08:38:48 GMT

Hi @Mick_OBrien,

ok, please try this:

| rex "^\S+\s(?<microService>\S+).*.\"GET\s+(?<url>[^ ]+)"

that you can test at https://regex101.com/r/HFgP6J/2

Ciao.

Giuseppe

Re: REX - extract second field between quotes

Mick_OBrien — Wed, 07 Sep 2022 08:45:20 GMT

@gcusello

Thanks - that seems to be working!

Re: REX - extract second field between quotes

gcusello — Wed, 07 Sep 2022 09:04:32 GMT

Hi @Mick_OBrien,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉