Solved: Re: How to extract the field from raw logs

aditsss · ‎10-14-2020

Hi,

Below are my logs:

2020-10-14 01:59:59,889 INFO [-912674] o.a.n.w.s.AuthenticationFilter Attempting request for (<ppatt2><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) GET https://abcdefg50449.phx.xp.com:9091/api/flow/bulletin-board (source )

2020-10-14 02:00:32,995 INFO 67995] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<vkravic><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) POST https://abcdefg50450.phx.xp.com:9091/api/flowfile-queues/5aab3ee9-4bd1-1f35-9756-ed1248dbc67a/listin... (source)

I want two regex for two fields differently:

One mark in red as Request User and one mark in green as Request Type.

Can someone provide me regex's for both the fields.

Thanks in advance.

to4kawa · ‎10-14-2020

| rex "\<(?<Request_User>\S+)\>"
| rex "(?<Request_Type>POST|GET|OPTIONS|HEAD|PUT)"

View solution in original post

to4kawa · ‎10-14-2020

| rex "\<(?<Request_User>\S+)\>"
| rex "(?<Request_Type>POST|GET|OPTIONS|HEAD|PUT)"

aditsss · ‎10-14-2020

@to4kawa

Thankyou so much for your help.

to4kawa · ‎10-14-2020

index=_internal | head 1 | fields _raw | eval _raw="2020-10-14 01:59:59,889 INFO [-912674] o.a.n.w.s.AuthenticationFilter Attempting request for (<ppatt2><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) GET https://abcdefg50449.phx.xp.com:9091/api/flow/bulletin-board (source )"
| appendpipe [| eval _raw="2020-10-14 02:00:32,995 INFO 67995] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<vkravic><CN=abcdefg50450.phx.xp.com, OU=Middleware Utilities,  L=Phoenix, ST=Arizona, C=US, SERIALNUMBER=188055, OID.1.3.6.1.4.1.311.60.2.1.2=New York, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization>) POST https://abcdefg50450.phx.xp.com:9091/api/flowfile-queues/5aab3ee9-4bd1-1f35-9756-ed1248dbc67a/listin... (source)"]
| rex "(?<time>\S+\s\S+) .*?\<(?<Request_User>\S+)\>.*(?<Request_Type>POST|GET|OPTIONS|HEAD|PUT)\s(?<url>\S+)"
| eval _time=strptime(time,"%F %T,%3Q")

how about this?

aditsss · ‎10-14-2020

@to4kawa

Can you provide separate regex for both.

It would be a great help.

How to extract the field from raw logs

simple XML

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How to extract the field from raw logs

simple XML

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard