Security

Easy question.. how do I get just the HTTP response from this log?

tengugurl1
Engager

Hi! 

The log in question reads as:
HTTP/1.1" 200 365 3

in our splunk, we don't have a "HTTP status" field to pivot off of..
So I see that the HTTP response always shows as it does above,
So I'd need a regex that gives me something like:

| rex field=HTTP response  "

 

HTTP/1.1" *** 

Labels (1)
0 Karma

nmohammed
Builder
 rex "HTTP\/1\.1\"\s*(?<http_response>\d{3})"

try above

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...