Splunk Search

How to edit my regular expression to extract the 3 digit HTTP response code and the following text from my sample events?

Contributor

I want to grab the 3 digit number and the words after, bolded.

[INFO 16-09-08:19:39:10] @makeRequest HTTP REQUEST Uri : http://www.ve.com/delivery/api/tamy?taxonomy=Jewelry%20eatured&view=grid&usestate=1&platform=mobile&..., HTTP RESPONSE : [responseCode= 200, responseMessage= HTTP/1.1 200 OK], Time taken = 6 msecs

[INFO 16-09-08:19:37:58] @makeRequest HTTP REQUEST Uri : https://api-atfile/password/validate?token=K1JfXa3ulHz3POkrJViEzSw_EPfY., HTTP RESPONSE : [responseCode= 500, responseMessage= HTTP/1.1 500 Internal Server Error], Time taken = 170 msecs

[INFO 16-09-08:19:42:18] @makeRequest HTTP REQUEST Uri : https://am/token, HTTP RESPONSE : [responseCode= 400, responseMessage= HTTP/1.1 400 Bad Request], Time taken = 167 msecs

[INFO 16-09-08:19:42:19] @makeRequest HTTP REQUEST Uri : http://5/kohls/product/2508548?campaignId=271, HTTP RESPONSE : [responseCode= 200, responseMessage= HTTP/1.1 200 ], Time taken = 88 msecsme taken = 10 msecs

(responseMessage=)\s(?\w*) Got this, but it doesn't grab everything, just the http part which isn't the part I want unfortunately.

0 Karma
1 Solution

Influencer

... | rex "responseMessage=\s+HTTP/\d+\.\d+\s+(?<status>[^\]]+)\s*\]"

View solution in original post

0 Karma

Influencer

... | rex "responseMessage=\s+HTTP/\d+\.\d+\s+(?<status>[^\]]+)\s*\]"

View solution in original post

0 Karma