Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract Http status from - event text -.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-"...

Jagdish
Loves-to-Learn Lots
‎12-02-2020 05:19 AM

i am trying to extract http status from below event row text using search , but could not able to get status,

event content - 

.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-" ...

search :

| rex field=_raw "(?<prevFields>.*)\"PUT /sendmail HTTP/\d+\.\d+\"  (?<statusFieldStart>.*)"
| table prevFields statusFieldStart

if i remove  \" , that is highlighted one , then i am getting statusFieldStart with content " 400 203 252 "-" ,that having double quote at start , want to remove it so i can extract status field complete. anything am i missing here

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2020 06:46 AM

If removing \" gives you undesired results then why remove it? It's not clear what problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-02-2020 06:03 AM

Hi @Jagdish,

if you want to extract only "400", you have to use the following regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/1

If instead you want to extract "400 203 252", you could use this regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+\s+\d+\s+\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/2

Ciao.

Giuseppe

0 Karma
Reply

Jagdish
Loves-to-Learn Lots
‎12-03-2020 03:15 AM

Thanks , but its not working it does not showing either of field value.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-03-2020 04:35 AM

Hi @Jagdish,

the regex I hinted extracts the values from the sample you shared (see in regex101).

If it doesn't run on your data, please share more complete samples to check the regex.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...