Solved: Help with Field Extraction Using Regex

MaddyRaj · ‎07-05-2023

I have 2 requests here.

I am trying to extract and create a new field from logs.

Logs for request 1:

2023-06-30 02:36:32 [INFO] [c6ea0e48-e793-4c35-893e-ff1f253dbca0] {"method":"GET","path":"/api/v2/organizations/infrastructure/workspaces","format":"jsonapi","status":200,"duration":377.88,"view":263.86,"db":65.86,"uuid":"c6ea0e48-e793-4c35-893e-ff1f253dbca0","remote_ip":"10.37.23.55, 10.218.136.20","request_id":"c6ea0e48-e793-4c35-893e-ff1f253dbca0","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","user":"iamtfeprdadmin","organization":"infrastructure","dd"

Here I want to extract & create a new field "status"

Example: status=200

Request 2 Logs:

10.218.136.20 - - [30/Jun/2023:02:36:32 +0000] "GET /api/v2/runs/run-HtzBcKEKf8x75mVe/run-events?include=comment%2Cactor HTTP/1.1" 304 0 "https://terraform.srv.companyname.com.au/app/customer/workspaces/a01300-tfe-dev01-customer_infra_azure/runs/run-HtzBcKEKf8x75mVe" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"

Here I want to extract & create a new field "org"

Example: org=customer

(Result of the org is next to app. ie. companyname.com.au/app/customer)

Please help

ITWhisperer · ‎07-05-2023

| rex "status\":(?<status>\d+)"
| rex "\/app\/(?<org>[^\/]+)"

View solution in original post

ITWhisperer · ‎07-05-2023

| rex "status\":(?<status>\d+)"
| rex "\/app\/(?<org>[^\/]+)"

Help with Field Extraction Using Regex

field extraction

search job inspector

timechart

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability