Splunk Search

Extract Http status from - event text -.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-"...

Jagdish
Loves-to-Learn Lots

i am trying to extract http status from below event row text using search , but could not able to get status,

event content - 

.. [2020-11-26T11:27:56.025047450Z] "PUT /sendmail HTTP/1.1" 400 203 252 "-" ...

search :

| rex field=_raw "(?<prevFields>.*)\"PUT /sendmail HTTP/\d+\.\d+\"  (?<statusFieldStart>.*)"
| table prevFields statusFieldStart

if i remove  \" , that is highlighted one , then i am getting statusFieldStart with content " 400 203 252 "-" ,that having double quote at start , want to remove it so i can extract status field complete. anything am i missing here

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If removing \" gives you undesired results then why remove it? It's not clear what problem you are trying to solve.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jagdish,

if you want to extract only "400", you have to use the following regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/1

If instead you want to extract "400 203 252", you could use this regex:

your_search
| rex field=_raw "(?<prevFields>.*)\"PUT\s+\/sendmail\s+HTTP\/\d+\.\d+\"\s+(?<statusFieldStart>\d+\s+\d+\s+\d+)"
| table prevFields statusFieldStart

that you can test at https://regex101.com/r/ib3ABr/2

Ciao.

Giuseppe

0 Karma

Jagdish
Loves-to-Learn Lots

Thanks , but its not working it does not showing either of field value.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Jagdish,

the regex I hinted extracts the values from the sample you shared (see in regex101).

If it doesn't run on your data, please share more complete samples to check the regex.

Ciao.

Giuseppe

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.