Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my regex to extract this field from my sample event?

athorat
Communicator
‎02-17-2016 03:09 PM

Want to extract only /ubi-v2/api/scoresummary from the below mentioned event in a field.
Rex used: 

`| rex "(?<remote_addr>[^\s]*) -(| ) (| )- \[(?<time_local>[^\]]*)\] \"(?<request>[^\"]*)\" (?<status>[^\s]*) (?<body_bytes_sent>[^\s]*)"

Event:

172.26.129.10 - - [16/Feb/2016:23:59:55 -0700] "GET /ubi-v1/api/ubidevicestatus?vin=1N4AL3AP3DC114528 HTTP/1.1" 500 1696

Don't need the entire "GET" Request,Tried using (GET[^\?]*) but that does not get any results
Thanks for looking into this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2016 03:43 PM

Try like this (run anywhere sample, first two lines are only to generate data, replace that with your base search)

| gentimes start=-1 | eval _raw="172.26.129.10 - - [16/Feb/2016:23:59:55 -0700] \"GET /ubi-v1/api/ubidevicestatus?vin=1N4AL3AP3DC114528  HTTP/1.1\" 500 1696" | table _raw
| rex "(?<remote_addr>[^\s]*)\s+\S+\s+\S+\s+\[(?<time_local>[^\]]*)\] \"(?<method>\S+)\s+(?<request>[^?\"\s]*).*\" (?<status>[^\s]*) (?<body_bytes_sent>[^\s]*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-17-2016 03:43 PM

Try like this (run anywhere sample, first two lines are only to generate data, replace that with your base search)

| gentimes start=-1 | eval _raw="172.26.129.10 - - [16/Feb/2016:23:59:55 -0700] \"GET /ubi-v1/api/ubidevicestatus?vin=1N4AL3AP3DC114528  HTTP/1.1\" 500 1696" | table _raw
| rex "(?<remote_addr>[^\s]*)\s+\S+\s+\S+\s+\[(?<time_local>[^\]]*)\] \"(?<method>\S+)\s+(?<request>[^?\"\s]*).*\" (?<status>[^\s]*) (?<body_bytes_sent>[^\s]*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...