Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create regex to extract the fields

pchintha
Engager
‎03-23-2022 07:22 PM

From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com

Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com

Need the regular expression for this.

 

0 Karma
Reply

venky1544
Builder
‎03-24-2022 02:38 AM

Hi @pchintha 

quick question before the regex

is the status code always prefixed with NONE 

and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com

if yes

NONE\/(?<url>[a-z.]+)

venky1544_0-1648114825894.png

 

NONE\/(?<status>\d+)

venky1544_1-1648114856180.png

above are individual regex and below is one single regex if NONE is always preceded before URL and status

NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)

venky1544_2-1648115085600.png

 

---------------------

Hope this helps 

If you find the answer helpful please accept the solution also karma is appreciated

 

 

 

 

 

0 Karma
Reply

pchintha
Engager
‎03-24-2022 03:09 AM

@venky1544 thanks for your help, but i need only the output is 

status=504 not to be like status=/504

url=wpad.example.com not to be like url=http://wpad.example.com

 

Here we are separating the http:// only we are not checking the NONE things in the url field

0 Karma
Reply

venky1544
Builder
‎03-24-2022 05:02 AM

Hi @pchintha 

what do you mean by /504 and url=http://wpad.example.com

clearly the regex is extracting 504 and not /504 and wpad.example.com

Please check the screenshot there is nothing wrong with the reg ex

it seems you are doing something in correct in splunk while implementing the regex 

please share your complete splunk query how you are executing it 

 

venky1544_0-1648123125051.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:13 PM 
| rex field=result "/(?<status>\d+)"
| rex field=url "http://(?<url>[^/ ]+)"
Reply

pchintha
Engager
‎03-24-2022 01:33 AM

@ITWhisperer  i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.

 

pchintha_0-1648110742319.png

pchintha_1-1648110773548.png

 

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎03-24-2022 05:54 AM

there errors you are getting there its because in regex101 you need to escape the "/" like "\/"

Screenshot 2022-03-24 at 12.52.50.png

Screenshot 2022-03-24 at 12.54.11.png

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

pchintha
Engager
‎03-23-2022 07:24 PM

@isoutamo  hi i need your help for a regex to get the fields

Tags (1)
0 Karma
Reply

pchintha
Engager
‎03-24-2022 04:53 AM

any luck from anyone.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...