Solved: Extract raw data for URL into field

nbhat · ‎01-21-2022

Hi,

In the following log, I wanted to extract Url, Method, ResponseTimeMs, StatusCode as a table:

log: a_level="INFO", a_time="null", a_sub="xxx", a_uid="xx", a_tid="xx", a_rid="guid", a_thread="175" a_type="type", a_met="Move", a_msg="Method=GET,Uri=http://monolith-xxx.abc.com/v2/clients?skip=0top=100,MediaType=null,RemoteIP=::ffff:10.10.10.10,XRem...

For URL, I wanted the full extract "http://monolith-xxx.abc-xyz/v2/clients?skip=0top=100"

My current splunk query is as below:

index=aws_abc env=prd-01 uri Method StatusCode ResponseTimeMs
| eval DataSet=log
| rex field=DataSet "ResponseTimeMs=(?<ResponseTimeMs>\d+),StatusCode=(?<StatusCode>\d+)"
| rex field=DataSet "Url=(?<uri>[^,]+),Method=(?<Method>\w+)"
| table Url,Method,ResponseTimeMs, StatusCode

I get value in the table for ResponseTimeMs, StatusCode but not for URL and Method. Please help. Thanks

johnhuang · ‎01-21-2022

Not sure if there's typos in the example you've provided, the string after "a_msg" seems inconsistent with previous format.

Anyways, this was written have some flexibilty in accomodating possible typos your event example.

| rex field=DataSet "\"?Method\"?\=(?<Method>[^,]*)\,Uri=(?<uri>[^\,]+)"

View solution in original post

johnhuang · ‎01-21-2022

Not sure if there's typos in the example you've provided, the string after "a_msg" seems inconsistent with previous format.

Anyways, this was written have some flexibilty in accomodating possible typos your event example.

| rex field=DataSet "\"?Method\"?\=(?<Method>[^,]*)\,Uri=(?<uri>[^\,]+)"

nbhat · ‎01-21-2022

Thank you very much

Extract raw data for URL into field

field extraction

rex

table

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Are you a member of the Splunk Community?