Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create regex to extract the fields

pchintha
Engager
‎03-23-2022 07:22 PM

From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com

Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com

Need the regular expression for this.

 

0 Karma
Reply

venky1544
Builder
‎03-24-2022 02:38 AM

Hi @pchintha 

quick question before the regex

is the status code always prefixed with NONE 

and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com

if yes

NONE\/(?<url>[a-z.]+)

venky1544_0-1648114825894.png

 

NONE\/(?<status>\d+)

venky1544_1-1648114856180.png

above are individual regex and below is one single regex if NONE is always preceded before URL and status

NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)

venky1544_2-1648115085600.png

 

---------------------

Hope this helps 

If you find the answer helpful please accept the solution also karma is appreciated

 

 

 

 

 

0 Karma
Reply

pchintha
Engager
‎03-24-2022 03:09 AM

@venky1544 thanks for your help, but i need only the output is 

status=504 not to be like status=/504

url=wpad.example.com not to be like url=http://wpad.example.com

 

Here we are separating the http:// only we are not checking the NONE things in the url field

0 Karma
Reply

venky1544
Builder
‎03-24-2022 05:02 AM

Hi @pchintha 

what do you mean by /504 and url=http://wpad.example.com

clearly the regex is extracting 504 and not /504 and wpad.example.com

Please check the screenshot there is nothing wrong with the reg ex

it seems you are doing something in correct in splunk while implementing the regex 

please share your complete splunk query how you are executing it 

 

venky1544_0-1648123125051.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:13 PM 
| rex field=result "/(?<status>\d+)"
| rex field=url "http://(?<url>[^/ ]+)"
Reply

pchintha
Engager
‎03-24-2022 01:33 AM

@ITWhisperer  i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.

 

pchintha_0-1648110742319.png

pchintha_1-1648110773548.png

 

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎03-24-2022 05:54 AM

there errors you are getting there its because in regex101 you need to escape the "/" like "\/"

Screenshot 2022-03-24 at 12.52.50.png

Screenshot 2022-03-24 at 12.54.11.png

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

pchintha
Engager
‎03-23-2022 07:24 PM

@isoutamo  hi i need your help for a regex to get the fields

Tags (1)
0 Karma
Reply

pchintha
Engager
‎03-24-2022 04:53 AM

any luck from anyone.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top