Splunk Search

Extract Http status from - event text -.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-"...

Jagdish
Loves-to-Learn Lots

i am trying to extract http status from below event row text using search , but could not able to get status,

event content - 

.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-" ...

search :

| rex field=_raw "(?<prevFields>.*)\"PUT /sendmail HTTP/\d+\.\d+\"  (?<statusFieldStart>.*)"
| table prevFields statusFieldStart

if i remove  \" , that is highlighted one , then i am getting statusFieldStart with content " 400 203 252 "-" ,that having double quote at start , want to remove it so i can extract status field complete. anything am i missing here

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If removing \" gives you undesired results then why remove it? It's not clear what problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jagdish,

if you want to extract only "400", you have to use the following regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/1

If instead you want to extract "400 203 252", you could use this regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+\s+\d+\s+\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/2

Ciao.

Giuseppe

0 Karma

Jagdish
Loves-to-Learn Lots

Thanks , but its not working it does not showing either of field value.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jagdish,

the regex I hinted extracts the values from the sample you shared (see in regex101).

If it doesn't run on your data, please share more complete samples to check the regex.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...