Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve field extraction txt delimiting by space?

user33
Path Finder
‎12-22-2022 08:58 AM

Hello,

I am trying to extract the below 201 text highlighted in red below as one separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but had no luck. Any assistance is appreciated!

Event 1:
106.51.86.25 [22/Dec/2022:07:48:10 -0500] POST /services/public/v1/signup HTTP/1.1 201 5 539
 
Event 2:
23.197.194.86 - - [22/Dec/2022:07:48:09 -0500] "POST /services/public/v1/signup HTTP/1.1" 201 -
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-22-2022 05:42 PM

I didn't notice that the logs in Event 1 is not fully conformant to NCSA.  This is horrible and you should get the developers/admins to fix that.  In the short term, if HTTP status is the only field of interest, you can try

| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?<http_status>\d+)"

Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses.  But given that your developers are not respecting a well-established  format, there's no guarantee that they'll follow this pattern in all cases.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-22-2022 09:24 AM

This is NCSA's httpd access log format which Splunk provides a stock extraction.  Just set sourcetype to "access_combined" or "access_common".  This will give you the best result.  You can study related stanzas in  etc/system/default/props.conf to see how it is done.

0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎12-22-2022 10:59 AM

Thank you. I can look into that. Is there a short-term solution I can do in the interim? 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-22-2022 05:42 PM

I didn't notice that the logs in Event 1 is not fully conformant to NCSA.  This is horrible and you should get the developers/admins to fix that.  In the short term, if HTTP status is the only field of interest, you can try

| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?<http_status>\d+)"

Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses.  But given that your developers are not respecting a well-established  format, there's no guarantee that they'll follow this pattern in all cases.

0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎12-23-2022 11:53 AM

That definitely works for the time being. Thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...