Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write a regular expression to extract 2 fields from my sample data?

JoshuaJohn
Contributor
‎09-14-2016 08:40 AM

So I have a search that will check if two variables equal a specific number, and then I get the count of these instances. I am having trouble regexing the numbers I needed to create the variables.

index=nitro_prod_ecomm errorCode |rex (This grabs the Response Code) | rex (This grabs Error Code) | where RespCode = 400 AND ErrorCode = 1001 | table count

REQUEST_BODY:
{profileId:0156",deviceId:D893-4324234234C"}
RESPONSE_CODE:400
RESPONSE_TIME:2
RESPONSE_HEADERS:
Date:Wed, 14 Sep 2016 15:10:17 GMT;
X-Powered-By:Servlet/3.0;
correlation-id:NAID-iOS-E6B4F6817.94320;
channel:IOS;
Content-Type:application/json;
Transfer-Encoding:chunked;
Connection:Close;
RESPONSE_BODY:
{"errors":[{"errorCode":"1001","message":""}]}

_WS_HAPRT_WLMVERSION:-1;
RESPONSE_CODE:500
RESPONSE_TIME:11
RESPONSE_HEADERS:
X-Powered-By:Servlet/3.0;
correlation-id:TID-14743243247;
Content-Type:application/json;
Transfer-Encoding:chunked;
Connection:Close;
Date:Wed, 14 Sep 2016 15:33:13 GMT;
RESPONSE_BODY:
{"errors":[{"errorCode":"1010","message":""}]}

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-14-2016 08:49 AM

Try these two regex

... | rex "errorCode\"\:\"(?<err_code>\d+)\"" | rex "RESPONSE_CODE\:(?<resp_code>\d+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-14-2016 08:49 AM

Try these two regex

... | rex "errorCode\"\:\"(?<err_code>\d+)\"" | rex "RESPONSE_CODE\:(?<resp_code>\d+)"
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-14-2016 08:48 AM

Try this

index=nitro_prod_ecomm errorCode |rex "RESPONSE_CODE:(?<RespCode>\d+)" | rex "\"errorCode\":\"(?<ErrorCode>\d+)\"" | where RespCode = 400 AND ErrorCode = 1001 | stats count
0 Karma
Reply
Solved! Jump to solution

PPape
Contributor
‎09-14-2016 08:47 AM

you could try those two:

rex field=_raw "RESPONSE_CODE:(?P<RespCode>\d+)"

rex field=_raw "errorCode\":\"(?P<ErrorCode>\d+)"

Edit: escaped quotes and used + thanks to richgalloway

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-14-2016 08:51 AM

The quotes with the regex will have to be escaped.
I prefer to use \d+ to avoid assumptions about the length of a number.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...