From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com
Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com
Need the regular expression for this.
Hi @pchintha
quick question before the regex
is the status code always prefixed with NONE
and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com
if yes
NONE\/(?<url>[a-z.]+)
NONE\/(?<status>\d+)
above are individual regex and below is one single regex if NONE is always preceded before URL and status
NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)
---------------------
Hope this helps
If you find the answer helpful please accept the solution also karma is appreciated
@venky1544 thanks for your help, but i need only the output is
status=504 not to be like status=/504
url=wpad.example.com not to be like url=http://wpad.example.com
Here we are separating the http:// only we are not checking the NONE things in the url field
Hi @pchintha
what do you mean by /504 and url=http://wpad.example.com
clearly the regex is extracting 504 and not /504 and wpad.example.com
Please check the screenshot there is nothing wrong with the reg ex
it seems you are doing something in correct in splunk while implementing the regex
please share your complete splunk query how you are executing it
| rex field=result "/(?<status>\d+)"
| rex field=url "http://(?<url>[^/ ]+)"
@ITWhisperer i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.
there errors you are getting there its because in regex101 you need to escape the "/" like "\/"
any luck from anyone.