Solved: How to edit my search to create a new extracted fi...

JoshuaJohn · ‎08-15-2016

I have this search

index=nitro_prod_ecomm earliest=-30m@m | rex field=_raw "\d\d\:\d\d\:\d\d\s+(?\d+\.\d+)" | where ResponseTime>1| rex field=_raw "(?(GET|POST)\s+\/(\w+))" |stats count by header_page

It gets me the first part of a URL from the raw rex field, which is what I want.
I want to get this information into my extracted fields section on the left, I want to be able to click "header_page" and it will show me what is being displayed by this search such as "GET /store" etc. (Like below)

When attempting to create an extracted field via the automatic builder, it cannot do it and needs a custom written one. I tried just using the rex from the search, but it didn't seem to work.

Any ideas?

sundareshr · ‎08-15-2016

Add this to your props.conf

[sourcetype_stanza]
EXTRACT-headepage = (?<header_page>(GET|POST)\s+\/(\w+))

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Createandmaintainsearch-timefieldextract...

View solution in original post

sundareshr · ‎08-15-2016

Add this to your props.conf

[sourcetype_stanza]
EXTRACT-headepage = (?<header_page>(GET|POST)\s+\/(\w+))

http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Createandmaintainsearch-timefieldextract...

richgalloway · ‎08-15-2016

Can you share some sample data?

---
If this reply helps you, Karma would be appreciated.

JoshuaJohn · ‎08-15-2016

header_page ________________count
GET /price_______________________ 3
GET /product_________________3956
POST /rest__________________373
GET /search________________355
GET /search_error _____________1
GET /store______________________382

Basically this ^

How to edit my search to create a new extracted field with rex?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?