Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler
Explorer
‎07-30-2014 12:46 PM

Hi I am trying to extract multiple Set-Cookie from Squid Events.

props.conf

REPORT-set_cookie = extract-set_cookies
REPORT-cookie = extract-cookies

transforms.conf

[extract-set_cookies]
REGEX = (?i)\\nSet-Cookie: (?P<set_cookie>[^\\]+)
MV_ADD = true

[extract-cookies]
REGEX = (?i)\\nCookie: (?P<cookie>[^\\]+)
MV_ADD = true

But now, my field set_cookie has the following content:

jive.security.context=

Here it cutted some content, because the original Set-Cookie from the Event looked like this:

Set-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

What do i have to change in my Regex to get the whole Set-Cookie?

Thanks in Advance for your help.
Regards,
Patrik

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-31-2014 02:05 PM

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-31-2014 02:05 PM

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))
Reply
Solved! Jump to solution

psidler
Explorer
‎07-31-2014 02:33 PM

Thank you very much for your help.
Now i receive the result I expect!

Best Regards,
Patrik

0 Karma
Reply
Solved! Jump to solution

psidler
Explorer
‎07-31-2014 12:50 PM

They are literal character. They appear as \r\n in the message. In SPlunk they look the same as here in this post.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-31-2014 12:47 PM

One more question, I can see some "\r\n" in your logs. Are they literal character "\r\n" or they are new line but got converted here while pasting?

0 Karma
Reply
Solved! Jump to solution

psidler
Explorer
‎07-31-2014 12:41 PM

That is what I expect:

jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

and that is what I get with my Regular Expression:

jive.security.context=
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-31-2014 12:28 PM

What is the expected value for set_cookie (from the sample event)?

0 Karma
Reply
Solved! Jump to solution

psidler
Explorer
‎07-30-2014 11:13 PM

The whole Event looks like this:

176 192.168.200.176:1096 TCP_MISS/200 779 GET http://community.xmatters.com/__services/v2/rest/browserEvents/1406716809714? - DIRECT/204.93.75.166 application/json "Accept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: de-ch\r\nReferer: http://community.xmatters.com/welcome\r\nx-j-token: no-user\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application/json\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nHost: community.xmatters.com\r\nProxy-Connection: Keep-Alive\r\nCookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; JSESSIONID=350D94C62712F8858A.; BIGipServerm2s4c5-20-pool=1795401482.20480.0000; __utma=167379756.1989004756.1406722801.1406722801.1406722801.1; __utmb=167379756.1.10.1406722801; __utmc=167379756; __utmz=167379756.1406722801.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lastDocument=Willkommen%20%7C%20xCommunity; _mkto_trk=id:178-CPU-592&token:_mch-xmatters.com-1406722802185-40555\r\n" "HTTP/1.1 200 OK\r\nDate: Wed, 30 Jul 2014 10:41:22 GMT\r\nServer: Apache-Coyote/1.1\r\nP3P: CP=\"CAO PSA OUR\"\r\nX-JIVE-USER-ID: -1\r\nContent-Type: application/json\r\nContent-Length: 76\r\nExpires: Wed, 30 Jul 2014 10:41:22 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, private, max-age=0\r\nX-UA-Compatible: IE=edge\r\nX-JSL: D=4582 t=1406716882338765\r\nSet-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly\r\nVary: User-Agent\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r"
0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎07-30-2014 07:37 PM

You may want to post the whole event. The regex can be changed, but to do so, it will most likely require context.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...