Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create regex to extract the fields

pchintha
Engager
‎03-23-2022 07:22 PM

From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com

Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com

Need the regular expression for this.

 

0 Karma
Reply

venky1544
Builder
‎03-24-2022 02:38 AM

Hi @pchintha 

quick question before the regex

is the status code always prefixed with NONE 

and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com

if yes

NONE\/(?<url>[a-z.]+)

venky1544_0-1648114825894.png

 

NONE\/(?<status>\d+)

venky1544_1-1648114856180.png

above are individual regex and below is one single regex if NONE is always preceded before URL and status

NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)

venky1544_2-1648115085600.png

 

---------------------

Hope this helps 

If you find the answer helpful please accept the solution also karma is appreciated

 

 

 

 

 

0 Karma
Reply

pchintha
Engager
‎03-24-2022 03:09 AM

@venky1544 thanks for your help, but i need only the output is 

status=504 not to be like status=/504

url=wpad.example.com not to be like url=http://wpad.example.com

 

Here we are separating the http:// only we are not checking the NONE things in the url field

0 Karma
Reply

venky1544
Builder
‎03-24-2022 05:02 AM

Hi @pchintha 

what do you mean by /504 and url=http://wpad.example.com

clearly the regex is extracting 504 and not /504 and wpad.example.com

Please check the screenshot there is nothing wrong with the reg ex

it seems you are doing something in correct in splunk while implementing the regex 

please share your complete splunk query how you are executing it 

 

venky1544_0-1648123125051.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:13 PM 
| rex field=result "/(?<status>\d+)"
| rex field=url "http://(?<url>[^/ ]+)"
Reply

pchintha
Engager
‎03-24-2022 01:33 AM

@ITWhisperer  i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.

 

pchintha_0-1648110742319.png

pchintha_1-1648110773548.png

 

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎03-24-2022 05:54 AM

there errors you are getting there its because in regex101 you need to escape the "/" like "\/"

Screenshot 2022-03-24 at 12.52.50.png

Screenshot 2022-03-24 at 12.54.11.png

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

pchintha
Engager
‎03-23-2022 07:24 PM

@isoutamo  hi i need your help for a regex to get the fields

Tags (1)
0 Karma
Reply

pchintha
Engager
‎03-24-2022 04:53 AM

any luck from anyone.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top