- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me write a regular expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to extract Insurer , User , Dealer name
2019-11-01 06:54:20 W3SVC4 AUSYD11AS90 172.29.5.28 GET /Areas/Framework/Content/Style/fonts/open-sans-v10-latin-regular.woff2 - 80 - 172.29.0.250 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:60.0)+Gecko/20100101+Firefox/60.0 AUTOMOTIVE_LastLoginId=MS3352919;+External_UserType=USER1;+External_ID=tEST1;+First_level_Hierarchy=TEST2;+Second_level_Hierarchy=tEST;+Account_Type=DBA;+Dealer_Outlet_Name=;+Title=;+Insurer=ABC;+encryptedcookie=470097324.20480.0000;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
| makeresults
| eval _raw="2019-11-01 06:54:20 W3SVC4 AUSYD11AS90 172.29.5.28 GET /Areas/Framework/Content/Style/fonts/open-sans-v10-latin-regular.woff2 - 80 - 172.29.0.250 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:60.0)+Gecko/20100101+Firefox/60.0 AUTOMOTIVE_LastLoginId=MS3352919;+External_UserType=USER1;+External_ID=tEST1;+First_level_Hierarchy=TEST2;+Second_level_Hierarchy=tEST;+Account_Type=DBA;+Dealer_Outlet_Name=;+Title=;+Insurer=ABC;+encryptedcookie=470097324.20480.0000;"
| rex "Account_Type=(?<Account_Type>[^\(;\+)]+)"
| rex "Insurer=(?<Insurer>[^\(;\+)]+)"
| rex "Dealer_Outlet_Name=(?<Dealer_Outlet_Name>[^\(;\+)]+)"
in your environment you should try:
index=<your_index>| rex "Account_Type=(?<Account_Type>[^\(;\+)]+)"
| rex "Insurer=(?<Insurer>[^\(;\+)]+)"
| rex "Dealer_Outlet_Name=(?<Dealer_Outlet_Name>[^\(;\+)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| stats count
| eval _raw="2019-11-01 06:54:20 W3SVC4 AUSYD11AS90 172.29.5.28 GET /Areas/Framework/Content/Style/fonts/open-sans-v10-latin-regular.woff2 - 80 - 172.29.0.250 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:60.0)+Gecko/20100101+Firefox/60.0 AUTOMOTIVE_LastLoginId=MS3352919;+External_UserType=USER1;+External_ID=tEST1;+First_level_Hierarchy=TEST2;+Second_level_Hierarchy=tEST;+Account_Type=DBA;+Dealer_Outlet_Name=;+Title=;+Insurer=ABC;+encryptedcookie=470097324.20480.0000;"
| kv
Hi,
Insuer:
User:
Dealer name:
What is the value for this log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
| makeresults
| eval _raw="2019-11-01 06:54:20 W3SVC4 AUSYD11AS90 172.29.5.28 GET /Areas/Framework/Content/Style/fonts/open-sans-v10-latin-regular.woff2 - 80 - 172.29.0.250 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:60.0)+Gecko/20100101+Firefox/60.0 AUTOMOTIVE_LastLoginId=MS3352919;+External_UserType=USER1;+External_ID=tEST1;+First_level_Hierarchy=TEST2;+Second_level_Hierarchy=tEST;+Account_Type=DBA;+Dealer_Outlet_Name=;+Title=;+Insurer=ABC;+encryptedcookie=470097324.20480.0000;"
| rex "Account_Type=(?<Account_Type>[^\(;\+)]+)"
| rex "Insurer=(?<Insurer>[^\(;\+)]+)"
| rex "Dealer_Outlet_Name=(?<Dealer_Outlet_Name>[^\(;\+)]+)"
in your environment you should try:
index=<your_index>| rex "Account_Type=(?<Account_Type>[^\(;\+)]+)"
| rex "Insurer=(?<Insurer>[^\(;\+)]+)"
| rex "Dealer_Outlet_Name=(?<Dealer_Outlet_Name>[^\(;\+)]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say "User", do you actually mean "External_ID" or some other named field?
Technically speaking, your example contains a user field with a value of "-".
The same clarification applies for "Dealer name" -- do you actually mean "Dealer_Outlet_Name"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am interested in extracting these fields -
+Insurer
+Dealer_Outlet_Name
+Account_Type
Since some times sequence of these fields can be changes, I want regular expression which contains the field name too like "hostname:(?P[^,]+)[^\n]"
How do I do for the above fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please provide expected output for each field ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example Insurer field = ABC
Account_Type = DBA
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
