Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract field data using regex for space delimited logs

adwaitkaley
Engager
‎08-05-2017 02:26 PM

Hi, my splunk logs are in the following format :

"POST /v2/endpoint HTTP/1.0" 200 91 "http://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" 0.029 "127.0.0.1" "some-id"

I need to extract the status (200 in this case) and the response time (0.029 in this case) in my splunk search ?

How can I achieve this, I tried using regex's but the same delimiting fails as the data also has spaces 😞

Any way I can get these ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-06-2017 07:49 AM

Hi adwaitkaley,
try with

\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)

or in command 

| rex "\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)"

could you share some additional samples, probably there's some additional problem (see https://regex101.com/r/yYhGra/1)

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-06-2017 07:49 AM

Hi adwaitkaley,
try with

\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)

or in command 

| rex "\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)"

could you share some additional samples, probably there's some additional problem (see https://regex101.com/r/yYhGra/1)

Bye.
Giuseppe

Reply
Solved! Jump to solution

adwaitkaley
Engager
‎08-06-2017 10:18 AM

Hi cusello,

Awesome ! This is exactly what I was looking for 🙂
I literally hate the way the logs are setup, key-value pairs make life a hell lot easier.
Is there a way we can tokenize the other elements in the logs too ?
That would help immensely.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2017 12:27 AM

Hi adwaitkaley,
in the same way

\"(?<field1>[^\"]*)"\s(?<status>\d+)\s(?<substatus>\d+)\s\"(?<url>[^\"]*)\"\s\"(?<client>[^\"]*)\"\s(?<response_time>[^ ]*)\s\"(?<IP>[^\"]*)\"\s\"(?<field2>[^\"]*)\"

see https://regex101.com/r/yYhGra/2

If this answer satisfies your need, please accept it.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top