Splunk Enterprise

How to create regex to extract the fields

pchintha
Engager

From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com

Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com

Need the regular expression for this.

 

0 Karma

venky1544
Builder

Hi @pchintha 

quick question before the regex

is the status code always prefixed with NONE 

and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com

if yes

NONE\/(?<url>[a-z.]+)

venky1544_0-1648114825894.png

 

NONE\/(?<status>\d+)

venky1544_1-1648114856180.png

above are individual regex and below is one single regex if NONE is always preceded before URL and status

NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)

venky1544_2-1648115085600.png

 

---------------------

Hope this helps 

If you find the answer helpful please accept the solution also karma is appreciated

 

 

 

 

 

0 Karma

pchintha
Engager

@venky1544 thanks for your help, but i need only the output is 

status=504 not to be like status=/504

url=wpad.example.com not to be like url=http://wpad.example.com

 

Here we are separating the http:// only we are not checking the NONE things in the url field

0 Karma

venky1544
Builder

Hi @pchintha 

what do you mean by /504 and url=http://wpad.example.com

clearly the regex is extracting 504 and not /504 and wpad.example.com

Please check the screenshot there is nothing wrong with the reg ex

it seems you are doing something in correct in splunk while implementing the regex 

please share your complete splunk query how you are executing it 

 

venky1544_0-1648123125051.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex field=result "/(?<status>\d+)"
| rex field=url "http://(?<url>[^/ ]+)"

pchintha
Engager

@ITWhisperer  i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.

 

pchintha_0-1648110742319.png

pchintha_1-1648110773548.png

 

0 Karma

diogofgm
SplunkTrust
SplunkTrust

there errors you are getting there its because in regex101 you need to escape the "/" like "\/"

Screenshot 2022-03-24 at 12.52.50.png

Screenshot 2022-03-24 at 12.54.11.png

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

pchintha
Engager

@isoutamo  hi i need your help for a regex to get the fields

Tags (1)
0 Karma

pchintha
Engager

any luck from anyone.

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...