Splunk Search

How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler
Explorer

Hi I am trying to extract multiple Set-Cookie from Squid Events.

props.conf

REPORT-set_cookie = extract-set_cookies
REPORT-cookie = extract-cookies

transforms.conf

[extract-set_cookies]
REGEX = (?i)\\nSet-Cookie: (?P<set_cookie>[^\\]+)
MV_ADD = true

[extract-cookies]
REGEX = (?i)\\nCookie: (?P<cookie>[^\\]+)
MV_ADD = true

But now, my field set_cookie has the following content:

jive.security.context=

Here it cutted some content, because the original Set-Cookie from the Event looked like this:

Set-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

What do i have to change in my Regex to get the whole Set-Cookie?

Thanks in Advance for your help.
Regards,
Patrik

Tags (3)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

psidler
Explorer

Thank you very much for your help.
Now i receive the result I expect!

Best Regards,
Patrik

0 Karma

psidler
Explorer

They are literal character. They appear as \r\n in the message. In SPlunk they look the same as here in this post.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

One more question, I can see some "\r\n" in your logs. Are they literal character "\r\n" or they are new line but got converted here while pasting?

0 Karma

psidler
Explorer

That is what I expect:

jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

and that is what I get with my Regular Expression:

jive.security.context=
0 Karma

somesoni2
SplunkTrust
SplunkTrust

What is the expected value for set_cookie (from the sample event)?

0 Karma

psidler
Explorer

The whole Event looks like this:

176 192.168.200.176:1096 TCP_MISS/200 779 GET http://community.xmatters.com/__services/v2/rest/browserEvents/1406716809714? - DIRECT/204.93.75.166 application/json "Accept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: de-ch\r\nReferer: http://community.xmatters.com/welcome\r\nx-j-token: no-user\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application/json\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nHost: community.xmatters.com\r\nProxy-Connection: Keep-Alive\r\nCookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; JSESSIONID=350D94C62712F8858A.; BIGipServerm2s4c5-20-pool=1795401482.20480.0000; __utma=167379756.1989004756.1406722801.1406722801.1406722801.1; __utmb=167379756.1.10.1406722801; __utmc=167379756; __utmz=167379756.1406722801.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lastDocument=Willkommen%20%7C%20xCommunity; _mkto_trk=id:178-CPU-592&token:_mch-xmatters.com-1406722802185-40555\r\n" "HTTP/1.1 200 OK\r\nDate: Wed, 30 Jul 2014 10:41:22 GMT\r\nServer: Apache-Coyote/1.1\r\nP3P: CP=\"CAO PSA OUR\"\r\nX-JIVE-USER-ID: -1\r\nContent-Type: application/json\r\nContent-Length: 76\r\nExpires: Wed, 30 Jul 2014 10:41:22 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, private, max-age=0\r\nX-UA-Compatible: IE=edge\r\nX-JSL: D=4582 t=1406716882338765\r\nSet-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly\r\nVary: User-Agent\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r"
0 Karma

dshpritz
SplunkTrust
SplunkTrust

You may want to post the whole event. The regex can be changed, but to do so, it will most likely require context.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...