All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Only Extracts Part of a Field Instead of All

henryt1
Path Finder
‎12-03-2012 08:43 AM

Hello,

I'm trying to extract a field in Splunk, but for some reason it's only extracting part of the field. For instance, here is the raw file that I am seeing:

[03/Dec/2012:13:11:51 +0000] "GET /profile-services/talent?src=document_patents&q=(%22pelvis%22)%20AND%20NOT%20(%22childbirth%22)&normalize=1&clusterxml=1&proj=f8c6ade298d8adc5b6a4346f6acd7580&sort=relevance&start=0&limit=10 HTTP/1.1" 200 6232 "https://pg.inno-360.com/projects/f8c6ade298d8adc5b6a4346f6acd7580/landscapes" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.19) Gecko/20110707 Firefox/3.6.19" pg.inno-360.com 636009

Out of that file, I am interested in the field 'q', which would be the following:

q=(%22pelvis%22)%20AND%20NOT%20(%22childbirth%22)

However, when I run the query "... | stats count by q" I am just given the following:

(%22pelvis%22)

It looks like for some reason Splunk is only extracting the first part of the field instead of the whole thing. I was curious if there was a way to change the field extraction to get the entire thing or if this would be possible in any way. Any help on this would be greatly appreciated, thanks in advance.

-Tyler

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎12-03-2012 08:54 AM

Using the SPL, you can try the following rex command and test the following regex

q=(?P<q>[^\&]+)

So, once you have your results:

<yourGeneratingSearch> | rex field=_raw "q=(?P<q>[^\&]+)"

This should look in the raw field and then assign the field as anything from q= upto the next use of &.

If this works, you can update/save this as the extraction for q and it will override Splunk's extraction.

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎12-03-2012 08:54 AM

Using the SPL, you can try the following rex command and test the following regex

q=(?P<q>[^\&]+)

So, once you have your results:

<yourGeneratingSearch> | rex field=_raw "q=(?P<q>[^\&]+)"

This should look in the raw field and then assign the field as anything from q= upto the next use of &.

If this works, you can update/save this as the extraction for q and it will override Splunk's extraction.

Hope this helps.

Reply
Solved! Jump to solution

MHibbin
Influencer
‎12-04-2012 12:24 AM

Glad it helped.

0 Karma
Reply
Solved! Jump to solution

henryt1
Path Finder
‎12-03-2012 11:33 AM

This worked perfect, thanks!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎12-03-2012 08:54 AM

It almost appears as if the field extractor is urldecoding that line, and then because the resulting string is q=("pelvis") AND NOT ("childbirth"), it stops at the space after the ). You could run it through rex and see what works.

your_search| rex field=_raw "q=(?<query>[^&]*)&" assuming that everytime your page is called, there is another parameter after the q parameter.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...