https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625197#M217333 <P>That definitely works for the time being. Thank you very much!</P> Fri, 23 Dec 2022 19:53:28 GMT user33 2022-12-23T19:53:28Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625113#M217298 <P>Hello,</P> <P>I am trying to extract the below <EM><FONT color="#FF0000">201</FONT>&nbsp;</EM>text highlighted in red below as <STRONG>one</STRONG> separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but had no luck. Any assistance is appreciated!</P> <DIV class=""> <DIV class=""><STRONG><SPAN class="">Event 1:</SPAN></STRONG></DIV> <DIV class=""><EM><SPAN class="">106.51.86.25</SPAN> [<SPAN class="">22/Dec/2022:07:48:10</SPAN> <SPAN class="">-0500</SPAN>] <SPAN class=""><SPAN class="">POST</SPAN> <SPAN class="">/services/public/v1/signup</SPAN></SPAN> <SPAN class=""><SPAN class="">HTTP</SPAN>/1.1</SPAN> <FONT color="#FF0000"><SPAN class="">201</SPAN></FONT> <SPAN class="">5</SPAN> <SPAN class="">539</SPAN></EM></DIV> <DIV class="">&nbsp;</DIV> <DIV class=""><STRONG><SPAN class="">Event 2:</SPAN></STRONG></DIV> <DIV class=""><EM><SPAN class="">23.197.194.86 - - [22/Dec/2022:07:48:09 -0500] "<SPAN class="">POST /services/public/v1/signup</SPAN> HTTP/1.1" <FONT color="#FF0000">201</FONT> -</SPAN></EM></DIV> </DIV> Thu, 22 Dec 2022 17:03:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625113#M217298 user33 2022-12-22T17:03:57Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625116#M217300 <P>This is NCSA's httpd access log format which Splunk provides a stock extraction. &nbsp;Just set sourcetype to "access_combined" or "access_common". &nbsp;This will give you the best result. &nbsp;You can study related stanzas in &nbsp;etc/system/default/props.conf to see how it is done.</P> Thu, 22 Dec 2022 17:24:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625116#M217300 yuanliu 2022-12-22T17:24:55Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625124#M217303 <P>Thank you. I can look into that. Is there a short-term solution I can do in the interim?&nbsp;</P> Thu, 22 Dec 2022 18:59:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625124#M217303 user33 2022-12-22T18:59:08Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625148#M217313 <P>I didn't notice that the logs in Event 1 is not fully conformant to NCSA. &nbsp;This is horrible and you should get the developers/admins to fix that. &nbsp;In the short term, if HTTP status is the only field of interest, you can try</P><LI-CODE lang="markup">| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?&lt;http_status&gt;\d+)"</LI-CODE><P>Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses. &nbsp;But given that your developers are not respecting a well-established &nbsp;format, there's no guarantee that they'll follow this pattern in all cases.</P> Fri, 23 Dec 2022 01:42:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625148#M217313 yuanliu 2022-12-23T01:42:43Z https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625197#M217333 <P>That definitely works for the time being. Thank you very much!</P> Fri, 23 Dec 2022 19:53:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-achieve-field-extraction-txt-delimiting-by-space/m-p/625197#M217333 user33 2022-12-23T19:53:28Z