Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction-- Grab 3 digits between fixed words

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 12:28 PM

I have 3 different status codes which I need extracted, the words around them will be fixed and never change

I will have 3 different status codes (200, 400, 0)

So far I have 

^StatusCode>(?P<StatusCode>\d{1,3})

It will always look like this

<a:StatusCode>200</a:StatusCode>
<a:StatusCode>400</a:StatusCode>
<a:StatusCode>0</a:StatusCode>

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 06:17 PM

This worked perfectly! I didn't know you could extract in props.conf, that's good to know

Can you elaborate on KV_MODE=xml?

Thanks for your help!!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-20-2015 06:22 PM

from the docs on props.conf http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Propsconf

Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
    * xml : automatically extracts fields from XML data.
Reply
Solved! Jump to solution

regexcracker
New Member
‎05-20-2015 12:40 PM

If the logger is in xml format then use

mysearch | xmlkv | search StatusCode | table StatusCode

if its a normal logger,

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

OR try

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:12 PM

Thanks for the reply. I need to extract a field so my team can use it at anytime. Any suggestions on the regex for extracting the field?

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-20-2015 03:00 PM

here you go: ..|rex field=_raw "\&lt;a\:StatusCode\&gt;(?&lt;statuscode&gt;\d+)\&lt;"|table statuscode

SGF
0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎05-20-2015 12:39 PM

rex "(?i)StatusCode\W(?P&lt;StatusCode&gt;.\d+)\W"

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:15 PM

Thanks for the reply. Nothing appeared when I put this in

index=uvtrans ...| rex "(?i)StatusCode\W(?P<StatusCode>.\d+)\W"

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...