Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract field data using regex for space delimited logs

adwaitkaley
Engager
‎08-05-2017 02:26 PM

Hi, my splunk logs are in the following format :

"POST /v2/endpoint HTTP/1.0" 200 91 "http://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" 0.029 "127.0.0.1" "some-id"

I need to extract the status (200 in this case) and the response time (0.029 in this case) in my splunk search ?

How can I achieve this, I tried using regex's but the same delimiting fails as the data also has spaces 😞

Any way I can get these ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-06-2017 07:49 AM

Hi adwaitkaley,
try with

\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)

or in command 

| rex "\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)"

could you share some additional samples, probably there's some additional problem (see https://regex101.com/r/yYhGra/1)

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-06-2017 07:49 AM

Hi adwaitkaley,
try with

\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)

or in command 

| rex "\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)"

could you share some additional samples, probably there's some additional problem (see https://regex101.com/r/yYhGra/1)

Bye.
Giuseppe

Reply
Solved! Jump to solution

adwaitkaley
Engager
‎08-06-2017 10:18 AM

Hi cusello,

Awesome ! This is exactly what I was looking for 🙂
I literally hate the way the logs are setup, key-value pairs make life a hell lot easier.
Is there a way we can tokenize the other elements in the logs too ?
That would help immensely.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2017 12:27 AM

Hi adwaitkaley,
in the same way

\"(?<field1>[^\"]*)"\s(?<status>\d+)\s(?<substatus>\d+)\s\"(?<url>[^\"]*)\"\s\"(?<client>[^\"]*)\"\s(?<response_time>[^ ]*)\s\"(?<IP>[^\"]*)\"\s\"(?<field2>[^\"]*)\"

see https://regex101.com/r/yYhGra/2

If this answer satisfies your need, please accept it.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top