Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regular expression to extract a field that comes before \r\n in my sample data?

rewritex
Contributor
‎12-14-2016 04:43 PM

I'm trying to create a field extraction based on data: Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue where the field=host: and value is www.ditto.dut.com ... the other info isn't needed.

When I use www.regex101.com to create the expression, I come up with ... Host:\s(?<host:>\S+)\\r

But when I try it in Splunk | rex field=_raw "Host:\s(?<http_request_host2>\S+)\\r" ... it doesn't work until I remove the \\r at which time the result shows www.ditto.dut.com\r\nIf-Modified-Since: Tue

I would like a result that ends at the \r\n and doesn't include it.
I don't know why I'm having so much trouble with the \r\n, but any help would be appreciated.
I have read through the forums and other web search without a solution.

added 12/20/2016 -
I am receiving data from F5-ASM (key-value-pairs) which seems to put a \r\n between each key-value pairing.

Thank You,
Sean

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 11:46 AM

Give this a try

your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 11:46 AM

Give this a try

your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-20-2016 10:58 AM

Could you provide some same values where it didn't work. The above works if used with the sample you provided in question. (see this runanywhere sample search)

| gentimes start=-1 | eval _raw="Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue" | table _raw  | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
0 Karma
Reply
Solved! Jump to solution

rewritex
Contributor
‎12-20-2016 09:53 AM

Thank you for the comment but didn't work.

add update: 20161220

You are correct, | rex field=_raw "Host:\s(?<http_request_host3>[^\\\\]+)" is working!!
Thank you for being persistent and suggesting I double check. I appreciate it.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...