Splunk Search

How to edit my regular expression to extract a field that comes before \r\n in my sample data?

rewritex
Contributor

I'm trying to create a field extraction based on data: Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue where the field=host: and value is www.ditto.dut.com ... the other info isn't needed.

When I use www.regex101.com to create the expression, I come up with ... Host:\s(?<host:>\S+)\\r

But when I try it in Splunk | rex field=_raw "Host:\s(?<http_request_host2>\S+)\\r" ... it doesn't work until I remove the \\r at which time the result shows www.ditto.dut.com\r\nIf-Modified-Since: Tue

I would like a result that ends at the \r\n and doesn't include it.
I don't know why I'm having so much trouble with the \r\n, but any help would be appreciated.
I have read through the forums and other web search without a solution.

added 12/20/2016 -
I am receiving data from F5-ASM (key-value-pairs) which seems to put a \r\n between each key-value pairing.

Thank You,
Sean

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"

View solution in original post

somesoni2
Revered Legend

Give this a try

your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"

somesoni2
Revered Legend

Could you provide some same values where it didn't work. The above works if used with the sample you provided in question. (see this runanywhere sample search)

| gentimes start=-1 | eval _raw="Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue" | table _raw  | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
0 Karma

rewritex
Contributor

Thank you for the comment but didn't work.

add update: 20161220

You are correct, | rex field=_raw "Host:\s(?<http_request_host3>[^\\\\]+)" is working!!
Thank you for being persistent and suggesting I double check. I appreciate it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...