Dashboards & Visualizations

How to extract the field from the raw data

aditsss
Builder

Hi Everyone,

Can someone guide me . How I can extract the below highlighted field from the logs:

2021-04-13 23:54:59,614 INFO [NiFi Web Server-54351] o.a.n.w.s. Attempting request for (<kdave7><l.com><CN=.com, OU=Middleware Utilities,L=Phoenix, ST=Arizona, C=US>) PUT https://lpdosputb50088.phx.bvc.com:9091/nifi-api/process-groups/9c673790-e123-1a1b-9c0d-d1adf4af91cb/variable-registry 

2021-04-13 23:54:59,617 INFO [NiFi Web Server-201257] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<kdave7>><CN=lpdosputb50090.phx.aexp.com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US>) PUT https://lpdosputb50089.phx.abc.com:9091/nifi-api/process-groups/9c673790-e123-1a1b-9c0d-d1adf4af91cb/variable-registry

2021-04-13 23:54:41,185 INFO [NiFi Web Server-54256] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<JWT token>) GET https://ecpnifiblaze-dev.poi.com/nifi-api/processors/cbd8ff04-0178-1000-0000-000035805b48 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

please try this:

| rex "\/[^\/]+\/((nifi-api\/flow)|(nifi-api))\/(?<your_field>[^\/]+)"

that you can test at https://regex101.com/r/Fa01uS/2

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

if you need to extract the string between "nifi-api/" and the first "/", you could use a regex like this:

| rex "nifi-api\/(?<your_field>[^\/]+)"

that you can test at https://regex101.com/r/Fa01uS/1

Ciao.

Giuseppe

0 Karma

aditsss
Builder

@gcusello 

some logs contains like this as well.

2021-04-13 23:54:25,867 INFO [NiFi Web Server-56517] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (<adasg17><CN=com, OU=Middleware Utilities, L=Phoenix, ST=Arizona, C=US>) GET https://lpdosputb50090.phx.p.com:9091/nifi-api/flow/process-groups/f9d9372e-b5ee-1c7b-b319-2601b4c87428

I want only one column for both.

How can I extract

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss,

please try this:

| rex "\/[^\/]+\/((nifi-api\/flow)|(nifi-api))\/(?<your_field>[^\/]+)"

that you can test at https://regex101.com/r/Fa01uS/2

Ciao.

Giuseppe

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!