extarct specific field with regex

khanlarloo · ‎09-28-2018

i want to extract the field with the name of http_agent from my logs
the raw field is :

"http_host=""nts.mapnanyp.com""","http_agent=""Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0""",http_retcode=200,"msg=""HTTP get request from,content_switch_name="none",server_pool_name="NTS","user_name=""Unknown""","http_refer=""https://mysite/dashboard/new/datalist.aspx?

i want just show the result before http_retcode, the result should be

(http_agent=""Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0)

can you tell me how can i do that?

kamlesh_vaghela · ‎09-29-2018

@khanlarloo

try this:

YOUR_SEARCH  | rex field=_raw "\"(?<A>http_agent=.*)\"\"\",http_retcode"

Sample Search:

| makeresults | eval _raw="\"http_host=\"\"nts.mapnanyp.com\"\"\",\"http_agent=\"\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0\"\"\",http_retcode=200,\"msg=\"\"HTTP get request from,content_switch_name=\"none\",server_pool_name=\"NTS\",\"user_name=\"\"Unknown\"\"\",\"http_refer=\"\"https://mysite/dashboard/new/datalist.aspx?" | rex field=_raw "\"(?<A>http_agent=.*)\"\"\",http_retcode"

khanlarloo · ‎09-29-2018

it doesn't work.

kamlesh_vaghela · ‎09-29-2018

does it return blank or unexpected output?

ddrillic · ‎09-29-2018

Looks most cheerful to me ; -)

kamlesh_vaghela · ‎09-30-2018

Are you looking for round brackets ()?
Then just append it... 🙂

eval A="(".A.")";

extarct specific field with regex

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!