Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract Http status from - event text -.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-"...

Jagdish
Loves-to-Learn Lots
‎12-02-2020 05:19 AM

i am trying to extract http status from below event row text using search , but could not able to get status,

event content - 

.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-" ...

search :

| rex field=_raw "(?<prevFields>.*)\"PUT /sendmail HTTP/\d+\.\d+\"  (?<statusFieldStart>.*)"
| table prevFields statusFieldStart

if i remove  \" , that is highlighted one , then i am getting statusFieldStart with content " 400 203 252 "-" ,that having double quote at start , want to remove it so i can extract status field complete. anything am i missing here

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2020 06:46 AM

If removing \" gives you undesired results then why remove it? It's not clear what problem you are trying to solve.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-02-2020 06:03 AM

Hi @Jagdish,

if you want to extract only "400", you have to use the following regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/1

If instead you want to extract "400 203 252", you could use this regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+\s+\d+\s+\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/2

Ciao.

Giuseppe

0 Karma
Reply

Jagdish
Loves-to-Learn Lots
‎12-03-2020 03:15 AM

Thanks , but its not working it does not showing either of field value.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-03-2020 04:35 AM

Hi @Jagdish,

the regex I hinted extracts the values from the sample you shared (see in regex101).

If it doesn't run on your data, please share more complete samples to check the regex.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...