topic How to extract IP hostname SplunkAgent and Machine architecture from splunkd_access log? in Splunk Search

How to extract IP hostname SplunkAgent and Machine architecture from splunkd_access log?

kell_cena — Thu, 13 Apr 2023 18:38:58 GMT

10.179.130.56 - - [14/Apr/2023:01:59:28.233 +0800] "POST /services/broker/phonehome/connection_10.179.130.56_8089_10.179.130.56_MYETKPWSQL002_918B12BB-35AB-452A-BAEB-592395125496 HTTP/1.1" 200 530 "-" "Splunk/8.2.7 (Windows Server 10 Standard Edition; arch=x64)" - 1ms

10.16.36.90 - - [13/Apr/2023:18:27:12.290 +0000] "POST /services/broker/phonehome/connection_10.16.36.90_8089_usseacwsrv190.us.xyz.com_usseacwsrv190_4D304A0A-05E2-483B-B2B5-7CF8A8928B7A HTTP/1.1" 200 24 "-" "Splunk/8.2.7 (Windows Server 10 Datacenter Edition; arch=x64)" - 2ms

Hi Everyone
Please help me with the regex to extract the following fields highlighted in bold.

How to extract IP hostname SplunkAgent and Machine architecture from splunkd_access log?

rut — Thu, 13 Apr 2023 18:57:03 GMT

The following should work on both examples:

| rex field=_raw "^(?<field1>(\d+\.?){4})[^"]+\"\w+\s(\/\w+)+([^_]+_){3}(?<field2>[^_]+).+(?<field3>Splunk[^\;]+);"

Re: How to extract IP hostname SplunkAgent and Machine architecture from splunkd_access log?

woodcock — Fri, 14 Apr 2023 01:29:28 GMT

| makeresults
| eval _raw="10.179.130.56 - - [14/Apr/2023:01:59:28.233 +0800] \"POST /services/broker/phonehome/connection_10.179.130.56_8089_10.179.130.56_MYETKPWSQL002_918B12BB-35AB-452A-BAEB-592395125496 HTTP/1.1\" 200 530 \"-\" \"Splunk/8.2.7 (Windows Server 10 Standard Edition; arch=x64)\" - 1ms"
| rex "(?<src>\S+)\s*(?<foo>\S+)\s*(?<bar>\S+)\s+\[(?<timestamp>[^\]]+)\]\s+\"(?<request>[^\"]+)\"\s+(?<http_response_code>\d+)\s*(?<other_code>\d+)\s+\"(?<bat>[^\"]+)\"\s+\"(?<spunk_agent>\S+)\s+(?<architecture>[^\"]+)\"\s+(?<boo>\S+)\s+(?<response_time>\S+)"