Hello,
I am trying to extract the below 201 text highlighted in red below as one separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but had no luck. Any assistance is appreciated!
I didn't notice that the logs in Event 1 is not fully conformant to NCSA. This is horrible and you should get the developers/admins to fix that. In the short term, if HTTP status is the only field of interest, you can try
| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?<http_status>\d+)"
Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses. But given that your developers are not respecting a well-established format, there's no guarantee that they'll follow this pattern in all cases.
This is NCSA's httpd access log format which Splunk provides a stock extraction. Just set sourcetype to "access_combined" or "access_common". This will give you the best result. You can study related stanzas in etc/system/default/props.conf to see how it is done.
Thank you. I can look into that. Is there a short-term solution I can do in the interim?
I didn't notice that the logs in Event 1 is not fully conformant to NCSA. This is horrible and you should get the developers/admins to fix that. In the short term, if HTTP status is the only field of interest, you can try
| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?<http_status>\d+)"
Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses. But given that your developers are not respecting a well-established format, there's no guarantee that they'll follow this pattern in all cases.
That definitely works for the time being. Thank you very much!