Solved: Getting A Specific Field From a Log

luteixeira · ‎11-12-2020

Hello Splunkers. 🙂

I have a stream of logs going to Splunk that reports daily errors. The logs is as follows:

Exceptions Details
App...............: WebApp
Original Message..: The provided anti-forgery token was meant for user "1234" but the current user is "".
Server............: WebAppServer
Service API URL...: https://xpto.systemname.com/WebAppApi/SelfService/FI.API.SelfService

I have these kinds of exceptions going on through the day and night and my main goal is to compile the type of exception, which URL happened, where (server name) and how many times it happened.

So what I need is to extract the field after the :

I've tried...

index="MyIndex" | extract kvdelim=":", auto=f

... as suggested in this cheat sheet but I couldn't manage to work.

Any help/suggestions? 🙂

Thank you in advance.

ITWhisperer · ‎11-12-2020

| rex max_match=0 "(?<key>[^\.:\n]+).*:\s(?<value>[^\n]*)"

View solution in original post

ITWhisperer · ‎11-12-2020

| rex max_match=0 "(?<key>[^\.:\n]+).*:\s(?<value>[^\n]*)"

luteixeira · ‎11-12-2020

@ITWhisperer You're awesome!

Worked just fine for what I was looking for.

Thank you very much!

Getting A Specific Field From a Log

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

Join the Conversation