Solved: Re: Help with Regex...?

prakash007 · ‎10-18-2016

I'm trying to extract the following from this regex...somehow i am not able to get the browser agent and status...

some of the data doesn't have a user agent..any help to get IP, UserAgent(optional), status

(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d+)\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s?\-?\s(?P<UserAgent>.*\))?\s?(?P<status>\d+)


GET /user/stell_static/legacy/css/share.css - 443 - 192.188.2.0 - 404

GET / - 443 - 192.168.28.0 - 200 0 0 0

GET /public/about.html - 443 - 192.168.26.7 - 403

POST /data/willer/testsample.php - 443 - 192.168.20.1 Mozilla/4.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1.14) 404 0 2 0

GET /ajax/real/setsample.asp - 443 - 192.168.21.0 Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 #apache webserver services #version5.5

somesoni2 · ‎10-18-2016

This should do it

(?P<method>\w+)\s+(?P<URL>\S+)\s+\S+\s+(?P<port>\d+)\s+\S+\s+(?P<IP>\d+\.\d+\.\d+\.\d+)\s+(?P<UserAgent>\S+)\s+(?P<status>\d+)

https://regex101.com/r/Vg9lbg/1

View solution in original post

gokadroid · ‎10-18-2016

This will work for all you cases:

(?P<method>[\w]+)\s+(?P<URL>[^\s]+)\s+\S+\s+(?P<port>[\d]+)\s+\S+\s+(?P<IP>[\d\.]+)\s+(?P<UserAgent>[\S]+)\s+(?P<status>[\d]+)

inventsekar · ‎10-18-2016

tested and its working good..

sourcetype="post" 
| rex field=_raw "(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d{3})\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s(?P<UserAgent>.*)\s(?P<status>\d{3})"
| table method URL port IP UserAgent status _raw

somesoni2 · ‎10-18-2016

This should do it

(?P<method>\w+)\s+(?P<URL>\S+)\s+\S+\s+(?P<port>\d+)\s+\S+\s+(?P<IP>\d+\.\d+\.\d+\.\d+)\s+(?P<UserAgent>\S+)\s+(?P<status>\d+)

https://regex101.com/r/Vg9lbg/1

gcusello · ‎10-18-2016

Try this one:

(?P<method>\w+)\s(?P<URL>.*)?\s\-\s(?P<port>\d+)\s\-\s(?P<IP>\d+\.\d+\.\d+\.\d+)\s(?P<UserAgent>[^ ]*)?\s?(?P<status>\d\d\d)

If you want to modify it test on https://regex101.com/

Bye.
Giuseppe

prakash007 · ‎10-18-2016

somehow it's not working well for this kind of data

GET /ajax/real/setsample.asp - 443 - 192.168.21.0 Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 950 #softwate#apache 560 731

UserAgent=Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0 200 0 0 31 950 #softwate#apache 560
 expected(UserAgent=Mozilla/5.0+(Windows+NT+5.1;+WOW64;+rv:35.0)+Gecko/20980000+Firefox/45.0)

status=731
(expected status=200)

GET / - 443 - 192.168.67.1 - 200 0 0 202

UserAgent= -200
(expected UserAgent = -)

status=202
(expected status=200)

skoelpin · ‎10-18-2016

You should create 2 separate fields for the user agent string and the status code

User gent string regex
(?P<UserAgent>\d+\.\d+\.\d+\.\d+\s(\S+))

Help with Regex...?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation