Splunk Search

Field Extraction-- Grab 3 digits between fixed words

skoelpin
SplunkTrust
SplunkTrust

I have 3 different status codes which I need extracted, the words around them will be fixed and never change

I will have 3 different status codes (200, 400, 0)

So far I have

^StatusCode>(?P<StatusCode>\d{1,3})

It will always look like this

<a:StatusCode>200</a:StatusCode>
<a:StatusCode>400</a:StatusCode>
<a:StatusCode>0</a:StatusCode>

Tags (2)
1 Solution

jacobwilkins
Communicator

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml

View solution in original post

jacobwilkins
Communicator

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml

skoelpin
SplunkTrust
SplunkTrust

This worked perfectly! I didn't know you could extract in props.conf, that's good to know

Can you elaborate on KV_MODE=xml?

Thanks for your help!!

0 Karma

MuS
Legend

from the docs on props.conf http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Propsconf

Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
    * xml : automatically extracts fields from XML data.

regexcracker
New Member

If the logger is in xml format then use

mysearch | xmlkv | search StatusCode | table StatusCode

if its a normal logger,

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

OR try

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Thanks for the reply. I need to extract a field so my team can use it at anytime. Any suggestions on the regex for extracting the field?

0 Karma

stephanefotso
Motivator

here you go: ..|rex field=_raw "\&lt;a\:StatusCode\&gt;(?&lt;statuscode&gt;\d+)\&lt;"|table statuscode

SGF
0 Karma

pradeepkumarg
Influencer

rex "(?i)StatusCode\W(?P&lt;StatusCode&gt;.\d+)\W"

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Thanks for the reply. Nothing appeared when I put this in

index=uvtrans ...| rex "(?i)StatusCode\W(?P<StatusCode>.\d+)\W"

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...