Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create regex to extract the fields

pchintha
Engager
‎03-23-2022 07:22 PM

From the below Log:
aoauwersdfx01a-mgt.example.com NewDecom: Info: 164807335647.901 0 10.200.111.06 NONE/504 0 GET http://wpad.example.com/wpad.dat - NONE/wpad.example.com

Need to extract the fields:
Field 1: result=NON/504 change to status=504
Field 2: url=http://wpad.example.com/wpad.dat change to url=wpad.example.com

Need the regular expression for this.

 

0 Karma
Reply

venky1544
Builder
‎03-24-2022 02:38 AM

Hi @pchintha 

quick question before the regex

is the status code always prefixed with NONE 

and also for the url at the end of the log is it always prefixed with NONE/wpad.example.com

if yes

NONE\/(?<url>[a-z.]+)

venky1544_0-1648114825894.png

 

NONE\/(?<status>\d+)

venky1544_1-1648114856180.png

above are individual regex and below is one single regex if NONE is always preceded before URL and status

NONE\/(?<status>\d+)([\w+ :\/\/.-]+)NONE\/(?<url>[[a-z.]+)

venky1544_2-1648115085600.png

 

---------------------

Hope this helps 

If you find the answer helpful please accept the solution also karma is appreciated

 

 

 

 

 

0 Karma
Reply

pchintha
Engager
‎03-24-2022 03:09 AM

@venky1544 thanks for your help, but i need only the output is 

status=504 not to be like status=/504

url=wpad.example.com not to be like url=http://wpad.example.com

 

Here we are separating the http:// only we are not checking the NONE things in the url field

0 Karma
Reply

venky1544
Builder
‎03-24-2022 05:02 AM

Hi @pchintha 

what do you mean by /504 and url=http://wpad.example.com

clearly the regex is extracting 504 and not /504 and wpad.example.com

Please check the screenshot there is nothing wrong with the reg ex

it seems you are doing something in correct in splunk while implementing the regex 

please share your complete splunk query how you are executing it 

 

venky1544_0-1648123125051.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-23-2022 11:13 PM 
| rex field=result "/(?<status>\d+)"
| rex field=url "http://(?<url>[^/ ]+)"
Reply

pchintha
Engager
‎03-24-2022 01:33 AM

@ITWhisperer  i checked but its not matching anything and also after this work i need to add in props.conf this regex so based on this please share the regex this is not working at all for me.

 

pchintha_0-1648110742319.png

pchintha_1-1648110773548.png

 

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎03-24-2022 05:54 AM

there errors you are getting there its because in regex101 you need to escape the "/" like "\/"

Screenshot 2022-03-24 at 12.52.50.png

Screenshot 2022-03-24 at 12.54.11.png

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

pchintha
Engager
‎03-23-2022 07:24 PM

@isoutamo  hi i need your help for a regex to get the fields

Tags (1)
0 Karma
Reply

pchintha
Engager
‎03-24-2022 04:53 AM

any luck from anyone.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...