Solved: field extraction using transforms and props

gajananh999 · ‎08-12-2014

Dear All,

i Have same events like.

10.XX.XX.241 10.XX.1XX.201 - - [07/Jul/2014:07:52:05 -0400] "GET /XXX/qiepp/safety/argus?_adf.ctrl-state=431o46udc_4&_afrLoop=663089210549944 HTTP/1.1" 200 42450 "-" "**Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E**)"

I need to extract this this user_agent. using props.conf or by using field extraction

i used this but its not working

(?i)=.*?" "(?P<FIELDNAME>\w+/\d+\.\d+\s+\(\.\*\))(?=")

can anyone help out here?

Thanks

Gajanan Hiroji

somesoni2 · ‎08-12-2014

This works for me for the sample data

your base search | rex "(?i)=.*?\" \"(?P<FIELDNAME>.*)(?=\")"

View solution in original post

somesoni2 · ‎08-12-2014

This works for me for the sample data

your base search | rex "(?i)=.*?\" \"(?P<FIELDNAME>.*)(?=\")"

field extraction using transforms and props

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

field extraction using transforms and props

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025