Splunk Search

How to change current regex for field extraction of whole Set-Cookie from Squid events?

Explorer

Hi I am trying to extract multiple Set-Cookie from Squid Events.

props.conf

REPORT-set_cookie = extract-set_cookies
REPORT-cookie = extract-cookies

transforms.conf

[extract-set_cookies]
REGEX = (?i)\\nSet-Cookie: (?P<set_cookie>[^\\]+)
MV_ADD = true

[extract-cookies]
REGEX = (?i)\\nCookie: (?P<cookie>[^\\]+)
MV_ADD = true

But now, my field set_cookie has the following content:

jive.security.context=

Here it cutted some content, because the original Set-Cookie from the Event looked like this:

Set-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

What do i have to change in my Regex to get the whole Set-Cookie?

Thanks in Advance for your help.
Regards,
Patrik

Tags (3)
1 Solution

Revered Legend

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

View solution in original post

Revered Legend

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

View solution in original post

Explorer

Thank you very much for your help.
Now i receive the result I expect!

Best Regards,
Patrik

0 Karma

Explorer

They are literal character. They appear as \r\n in the message. In SPlunk they look the same as here in this post.

0 Karma

Revered Legend

One more question, I can see some "\r\n" in your logs. Are they literal character "\r\n" or they are new line but got converted here while pasting?

0 Karma

Explorer

That is what I expect:

jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

and that is what I get with my Regular Expression:

jive.security.context=
0 Karma

Revered Legend

What is the expected value for set_cookie (from the sample event)?

0 Karma

Explorer

The whole Event looks like this:

176 192.168.200.176:1096 TCP_MISS/200 779 GET http://community.xmatters.com/__services/v2/rest/browserEvents/1406716809714? - DIRECT/204.93.75.166 application/json "Accept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: de-ch\r\nReferer: http://community.xmatters.com/welcome\r\nx-j-token: no-user\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application/json\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nHost: community.xmatters.com\r\nProxy-Connection: Keep-Alive\r\nCookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; JSESSIONID=350D94C62712F8858A.; BIGipServerm2s4c5-20-pool=1795401482.20480.0000; __utma=167379756.1989004756.1406722801.1406722801.1406722801.1; __utmb=167379756.1.10.1406722801; __utmc=167379756; __utmz=167379756.1406722801.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lastDocument=Willkommen%20%7C%20xCommunity; _mkto_trk=id:178-CPU-592&token:_mch-xmatters.com-1406722802185-40555\r\n" "HTTP/1.1 200 OK\r\nDate: Wed, 30 Jul 2014 10:41:22 GMT\r\nServer: Apache-Coyote/1.1\r\nP3P: CP=\"CAO PSA OUR\"\r\nX-JIVE-USER-ID: -1\r\nContent-Type: application/json\r\nContent-Length: 76\r\nExpires: Wed, 30 Jul 2014 10:41:22 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, private, max-age=0\r\nX-UA-Compatible: IE=edge\r\nX-JSL: D=4582 t=1406716882338765\r\nSet-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly\r\nVary: User-Agent\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r"
0 Karma

SplunkTrust
SplunkTrust

You may want to post the whole event. The regex can be changed, but to do so, it will most likely require context.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!