Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to achieve field extraction txt delimiting by space?

user33
Path Finder
‎12-22-2022 08:58 AM

Hello,

I am trying to extract the below 201 text highlighted in red below as one separate field from two separate events. How may I do this? I attempted the field extraction feature in Splunk but had no luck. Any assistance is appreciated!

Event 1:
106.51.86.25 [22/Dec/2022:07:48:10 -0500] POST /services/public/v1/signup HTTP/1.1 201 5 539
 
Event 2:
23.197.194.86 - - [22/Dec/2022:07:48:09 -0500] "POST /services/public/v1/signup HTTP/1.1" 201 -
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-22-2022 05:42 PM

I didn't notice that the logs in Event 1 is not fully conformant to NCSA.  This is horrible and you should get the developers/admins to fix that.  In the short term, if HTTP status is the only field of interest, you can try

| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?<http_status>\d+)"

Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses.  But given that your developers are not respecting a well-established  format, there's no guarantee that they'll follow this pattern in all cases.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎12-22-2022 09:24 AM

This is NCSA's httpd access log format which Splunk provides a stock extraction.  Just set sourcetype to "access_combined" or "access_common".  This will give you the best result.  You can study related stanzas in  etc/system/default/props.conf to see how it is done.

0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎12-22-2022 10:59 AM

Thank you. I can look into that. Is there a short-term solution I can do in the interim? 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎12-22-2022 05:42 PM

I didn't notice that the logs in Event 1 is not fully conformant to NCSA.  This is horrible and you should get the developers/admins to fix that.  In the short term, if HTTP status is the only field of interest, you can try

| rex "(GET|POST|HEAD|DELETE) +\S+ +HTTP/\S+\s+(?<http_status>\d+)"

Here I'm trying to make this as robust as possible according to the posted patterns and some educated guesses.  But given that your developers are not respecting a well-established  format, there's no guarantee that they'll follow this pattern in all cases.

0 Karma
Reply
Solved! Jump to solution

user33
Path Finder
‎12-23-2022 11:53 AM

That definitely works for the time being. Thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...