Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regular expression to extract a field that comes before \r\n in my sample data?

rewritex
Contributor
‎12-14-2016 04:43 PM

I'm trying to create a field extraction based on data: Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue where the field=host: and value is www.ditto.dut.com ... the other info isn't needed.

When I use www.regex101.com to create the expression, I come up with ... Host:\s(?<host:>\S+)\\r

But when I try it in Splunk | rex field=_raw "Host:\s(?<http_request_host2>\S+)\\r" ... it doesn't work until I remove the \\r at which time the result shows www.ditto.dut.com\r\nIf-Modified-Since: Tue

I would like a result that ends at the \r\n and doesn't include it.
I don't know why I'm having so much trouble with the \r\n, but any help would be appreciated.
I have read through the forums and other web search without a solution.

added 12/20/2016 -
I am receiving data from F5-ASM (key-value-pairs) which seems to put a \r\n between each key-value pairing.

Thank You,
Sean

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 11:46 AM

Give this a try

your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-15-2016 11:46 AM

Give this a try

your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-20-2016 10:58 AM

Could you provide some same values where it didn't work. The above works if used with the sample you provided in question. (see this runanywhere sample search)

| gentimes start=-1 | eval _raw="Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue" | table _raw  | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
0 Karma
Reply
Solved! Jump to solution

rewritex
Contributor
‎12-20-2016 09:53 AM

Thank you for the comment but didn't work.

add update: 20161220

You are correct, | rex field=_raw "Host:\s(?<http_request_host3>[^\\\\]+)" is working!!
Thank you for being persistent and suggesting I double check. I appreciate it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...