topic Re: How to change current regex for field extraction of whole Set-Cookie from Squid events? in Splunk Search

How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler — Wed, 30 Jul 2014 19:46:18 GMT

Hi I am trying to extract multiple Set-Cookie from Squid Events.

props.conf

REPORT-set_cookie = extract-set_cookies
REPORT-cookie = extract-cookies

transforms.conf

[extract-set_cookies]
REGEX = (?i)\\nSet-Cookie: (?P<set_cookie>[^\\]+)
MV_ADD = true

[extract-cookies]
REGEX = (?i)\\nCookie: (?P<cookie>[^\\]+)
MV_ADD = true

But now, my field set_cookie has the following content:

jive.security.context=

Here it cutted some content, because the original Set-Cookie from the Event looked like this:

Set-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

What do i have to change in my Regex to get the whole Set-Cookie?

Thanks in Advance for your help.
Regards,
Patrik

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

dshpritz — Thu, 31 Jul 2014 02:37:15 GMT

You may want to post the whole event. The regex can be changed, but to do so, it will most likely require context.

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler — Thu, 31 Jul 2014 06:13:45 GMT

The whole Event looks like this:

176 192.168.200.176:1096 TCP_MISS/200 779 GET http://community.xmatters.com/__services/v2/rest/browserEvents/1406716809714? - DIRECT/204.93.75.166 application/json "Accept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: de-ch\r\nReferer: http://community.xmatters.com/welcome\r\nx-j-token: no-user\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application/json\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nHost: community.xmatters.com\r\nProxy-Connection: Keep-Alive\r\nCookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; JSESSIONID=350D94C62712F8858A.; BIGipServerm2s4c5-20-pool=1795401482.20480.0000; __utma=167379756.1989004756.1406722801.1406722801.1406722801.1; __utmb=167379756.1.10.1406722801; __utmc=167379756; __utmz=167379756.1406722801.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lastDocument=Willkommen%20%7C%20xCommunity; _mkto_trk=id:178-CPU-592&token:_mch-xmatters.com-1406722802185-40555\r\n" "HTTP/1.1 200 OK\r\nDate: Wed, 30 Jul 2014 10:41:22 GMT\r\nServer: Apache-Coyote/1.1\r\nP3P: CP=\"CAO PSA OUR\"\r\nX-JIVE-USER-ID: -1\r\nContent-Type: application/json\r\nContent-Length: 76\r\nExpires: Wed, 30 Jul 2014 10:41:22 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, private, max-age=0\r\nX-UA-Compatible: IE=edge\r\nX-JSL: D=4582 t=1406716882338765\r\nSet-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly\r\nVary: User-Agent\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r"

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

somesoni2 — Thu, 31 Jul 2014 19:28:16 GMT

What is the expected value for set_cookie (from the sample event)?

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler — Thu, 31 Jul 2014 19:41:37 GMT

That is what I expect:

jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

and that is what I get with my Regular Expression:

jive.security.context=

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

somesoni2 — Thu, 31 Jul 2014 19:47:09 GMT

One more question, I can see some "\r\n" in your logs. Are they literal character "\r\n" or they are new line but got converted here while pasting?

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler — Thu, 31 Jul 2014 19:50:30 GMT

They are literal character. They appear as \r\n in the message. In SPlunk they look the same as here in this post.

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

somesoni2 — Thu, 31 Jul 2014 21:05:16 GMT

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

Re: How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler — Thu, 31 Jul 2014 21:33:50 GMT

Thank you very much for your help.
Now i receive the result I expect!

Best Regards,
Patrik