Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the field from raw logs

aditsss
Motivator
‎10-14-2020 02:08 AM

Hi, 

Below are my logs:

2020-10-14 01:59:59,889 INFO [-912674] o.a.n.w.s.AuthenticationFilter Attempting request for (<ppatt2><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) GET https://abcdefg50449.phx.xp.com:9091/api/flow/bulletin-board (source )

2020-10-14 02:00:32,995 INFO 67995] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<vkravic><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities,  L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) POST https://abcdefg50450.phx.xp.com:9091/api/flowfile-queues/5aab3ee9-4bd1-1f35-9756-ed1248dbc67a/listin... (source)

I want two regex for two fields differently:

One mark in red as Request User and one mark in green as Request Type.

Can someone provide me regex's for both the fields.

Thanks in advance.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎10-14-2020 03:57 AM 
| rex "\<(?<Request_User>\S+)\>"
| rex "(?<Request_Type>POST|GET|OPTIONS|HEAD|PUT)"

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎10-14-2020 03:57 AM 
| rex "\<(?<Request_User>\S+)\>"
| rex "(?<Request_Type>POST|GET|OPTIONS|HEAD|PUT)"
Reply
Solved! Jump to solution

aditsss
Motivator
‎10-14-2020 09:16 AM

@to4kawa 

 

Thankyou so much for your  help.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎10-14-2020 02:26 AM

 

index=_internal | head 1 | fields _raw | eval _raw="2020-10-14 01:59:59,889 INFO [-912674] o.a.n.w.s.AuthenticationFilter Attempting request for (<ppatt2><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) GET https://abcdefg50449.phx.xp.com:9091/api/flow/bulletin-board (source )"
| appendpipe [| eval _raw="2020-10-14 02:00:32,995 INFO 67995] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<vkravic><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities,  L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) POST https://abcdefg50450.phx.xp.com:9091/api/flowfile-queues/5aab3ee9-4bd1-1f35-9756-ed1248dbc67a/listin... (source)"]
| rex "(?<time>\S+\s\S+) .*?\<(?<Request_User>\S+)\>.*(?<Request_Type>POST|GET|OPTIONS|HEAD|PUT)\s(?<url>\S+)"
| eval _time=strptime(time,"%F %T,%3Q")

 

how about this?

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎10-14-2020 03:04 AM

@to4kawa 

Can you provide separate regex for both.

 

It would be a great help.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...