Solved: Getting A Specific Field From a Log

luteixeira · ‎11-12-2020

Hello Splunkers. 🙂

I have a stream of logs going to Splunk that reports daily errors. The logs is as follows:

Exceptions Details
App...............: WebApp
Original Message..: The provided anti-forgery token was meant for user "1234" but the current user is "".
Server............: WebAppServer
Service API URL...: https://xpto.systemname.com/WebAppApi/SelfService/FI.API.SelfService

I have these kinds of exceptions going on through the day and night and my main goal is to compile the type of exception, which URL happened, where (server name) and how many times it happened.

So what I need is to extract the field after the :

I've tried...

index="MyIndex" | extract kvdelim=":", auto=f

... as suggested in this cheat sheet but I couldn't manage to work.

Any help/suggestions? 🙂

Thank you in advance.

ITWhisperer · ‎11-12-2020

| rex max_match=0 "(?<key>[^\.:\n]+).*:\s(?<value>[^\n]*)"

View solution in original post

ITWhisperer · ‎11-12-2020

| rex max_match=0 "(?<key>[^\.:\n]+).*:\s(?<value>[^\n]*)"

luteixeira · ‎11-12-2020

@ITWhisperer You're awesome!

Worked just fine for what I was looking for.

Thank you very much!

Getting A Specific Field From a Log

field extraction

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio