Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract URL field with regex for certain error codes

splunkchris2
New Member
‎09-10-2019 12:56 AM

Hi everyone,

I have one logfile per day that is filled with several lines of information showing requests to play video streams:

ABC: [2019:09:10 09:39:15] abcdefg 1234567890 -hijklmnopqrs !warning! Request to play stream : "http://holiday.mpeg" on [website]

ABC: [2019:09:10 09:39:16] abcdefg 1234567890 -hijklmnopqrs !warning! Show error message : "Streamfail"

ABC: [2019:09:10 09:39:20] abcdefg 1234567890 -hijklmnopqrs success

And I am trying to extract the URLs that are listed in the file if there is the error message "Streamfail".

So for the example above I would like to extract the video name as well as the occurence:
1 x holiday.mpeg

I have tried the following:
index=website.log ("Show error message" AND "Streamfail")
| rex field=_raw "\/(?[^\?\/]+)\?"
| stats count by Streamfail

Tags (1)
0 Karma
Reply

splunkchris2
New Member
‎09-11-2019 05:41 AM

I'm quite a Splunk Newbie so sorry for asking.
The logs have an individual logID, but how could this be of any help?
By the lists you mean, e.g. list1=fails: Streamfails, Loginfail, Downloadfail, etc.; and list2=success: streamsuccess, loginsuccess, downloadsuccess...

0 Karma
Reply

jpolvino
Builder
‎09-11-2019 05:53 AM

If there was some sort of transaction ID, that can help tie things together. In your sample, what does do these fields signify? ABC, abcdefg,1234567890, hijklmnopqrs. Are these values static across all events, or are one or more of them unique for each file request?

In some systems, you'll find something like this (simplifying your example):
[2019:09:10 09:39:15] 12345 !warning! Request to play stream : "http://holiday.mpeg" on [website]
[2019:09:10 09:39:16] 12345 !warning! Show error message : "Streamfail"
[2019:09:10 09:39:20] 12345 success
[2019:09:10 09:39:21] 6789 !warning! Request to play stream : "http://splunk.mpeg" on [website]
[2019:09:10 09:39:30] 6789 success

In this case, transaction ID 12345 has the error message you seek, so the file associated with that transaction ID is what you want displayed, The transaction ID 6789 does not have the error message, so you don't care about this transaction's file.

If this is accurate, then one approach would be to collect all transaction IDs that have Streamfail, and then use those transaction IDs to find the filenames.

0 Karma
Reply

jpolvino
Builder
‎09-10-2019 08:05 AM

One potential problem is that you may have several requests intermingled, some successful and some not. Do your logs have any unique identifiers, such as a session ID or request ID? If so, then you could use that to identify IDs containing errors and then use that ID to find the file.

Can you provide a listing of events that are successful, and a listing of events that indicate failure?

0 Karma
Reply

thiru_wf
Observer
‎09-10-2019 05:11 AM

| rex field=_raw "\/(?P.[^\?\/\"]+)[\?\/\"]"

0 Karma
Reply

splunkchris2
New Member
‎09-10-2019 05:57 AM

Thanks, but it returns the following error:
⚠ Error in 'rex' command: Encountered the following error while compiling the regex '\/(?P.[^\?\/"]+)[\?\/"]': Regex: unrecognized character after (?P

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...