Splunk Search

Need to create rex group expression

ravir_jbp
Explorer

Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:31872 [30/Apr/2021:09:13:30.362] verint rest_service/rest-hostname-8780 0/0/0/10/12 302 1973 - X-CSRF-TOKEN=NtOTKgh2hfTpjwTuRmx269ZR5qQhDRUtAOf0 ---- 32/32/6/0/0 0/0 {} "GET /test/te/ping/login HTTP/1.1"

Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:52353 [30/Apr/2021:09:13:30.322] verint rest_service/rest-hostname-8680 0/0/0/1/1 200 11537 - - ---- 32/32/6/1/0 0/0 {} "GET /filterservices/css/filters.css HTTP/1.1" Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:42112

[30/Apr/2021:09:13:30.059] verint rest_service/rest-hostname-8780 0/0/12/143/202 200 122948 - - ---- 32/32/7/0/0 0/0 {} "GET /verintkm/js/tree.jquery.js HTTP/1.1"

the below rex expression is working fine until the port number for above events. Now I am trying add expression for "0/0/12/143/202 200". After the port group I need to create another group name (response time) for the value 202 which is the last value after forward slash.[expr/expres/expre/expres/group name]

 

\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s+

 

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s+(\d+\/){4}(?<response>\d+)\s+
0 Karma

ravir_jbp
Explorer

@ITWhisperer 

Thank you for your quick reponse. This script worked for two type of events. When I tried to search I have 14 different type of events in Haproxy logs. in regix101 site I was able to find only two type of events. I have mentioned the 14 different type of events. Can you help me to add few expression so that it matches for all evets. I tried for many hours by not getting the group name field.  Please help.

 

May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:64321 [02/May/2021:12:46:10.887] vendor tag_service/tag-service-hostname 0/0/0/4/4 200 1384 - - ---- 2/2/0/0/0 0/0 {} "GET /km-tag-service/default/tag/newchange?flatten=true&size=150 HTTP/1.1"


May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:30273 [02/May/2021:12:46:10.801] vendor apache_static/apache-hostname 0/0/0/21/22 200 21076 - - ---- 3/3/0/0/0 0/0 {} "GET /filestorage/KM/files/uploaded/ssfadfadfasdf HTTP/1.1"



May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:46529 [02/May/2021:12:46:10.576] vendor km_bookmark_service/km-bookmark-hostname 0/0/0/198/198 200 1204 - - ---- 2/2/0/0/0 0/0 {} "GET /km-bookmark-service/default/bookmark/test/KfsafasdfsadffdfdfsdF79?lang=en-US HTTP/1.1"


May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:65505 [02/May/2021:12:46:10.599] vendor soap_services/soap-hostname-8281 0/0/0/166/166 200 26596 - - ---- 4/4/0/0/0 0/0 {} "POST /GTConnect/StatelessSoapAcceptor/?gtxInitialProcess=AddKnowContentServices.API.BookmarkService.KMBookmarkServiceV1 HTTP/1.1"



May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:34269 [02/May/2021:12:46:10.578] vendor all_solr_servers/solr-slave-hostname 0/0/0/8/10 200 2777 - - ---- 4/4/0/0/0 0/0 {} "POST /solr/KM/select HTTP/1.1"

 
May  2 12:46:10 localhost haproxy[56287]: XX.XX.XX.XX:5697 [02/May/2021:12:46:09.960] vendor asset_service/asset-service-hostname 0/0/0/868/870 200 25069 - - ---- 3/3/0/0/0 0/0 {} "GET /km-asset-service/default/asset/file/Hospital_Reference_Laboratory_Protocol_Denial_Time1617629752632.htm?contentID=KMlJd3VMJI5Q8E08h95F79&lang=en-US&version=10.0 HTTP/1.1"


 
May  2 12:46:10 localhost haproxy[15523]: XX.XX.XX.XX:15361 [02/May/2021:12:46:10.429] vendor km_content_service/km-content-hostname 0/0/0/227/227 204 252 - - ---- 1/1/1/0/0 0/0 {} "POST /km-content-service/default/content/vkm:AuthoredContent/46eccba9-2902-4c9b-a51b-4669726ddbc5/en-US?externalSearchId=asfafasdfdsfsadfdfadfsafasdfc HTTP/1.1"


May  2 12:46:10 localhost haproxy[14380]: XX.XX.XX.XX:43521 [02/May/2021:12:46:09.945] vendor rest_service/rest-hostname-8780 0/0/0/887/887 200 21245 X-CSRF-TOKEN=2ofYcQfOxKKvm938FvZt79rSWXPnc7yqr91f - ---- 4/4/0/0/0 0/0 {} "GET /contentservices/km/asset/gasdfasdfsd.test.com%3A443 HTTP/1.1"


May  2 12:46:05 localhost haproxy[15523]: XX.XX.XX.XX:12647 [02/May/2021:12:46:05.720] vendor km_search_service/km-search-hostname 0/0/0/271/272 200 66149 - - ---- 0/0/0/0/0 0/0 {} "GET /km-search-service/default/search?query=search%20callback&tag=kbas HTTP/1.1"

 
May  2 12:46:02 localhost haproxy[22865]: XX.XX.XX.XX:26962 [02/May/2021:12:44:02.074] vendor agent_desktop/hostname-8283 0/0/0/120003/120003 200 8857 X-CSRF-TOKEN=adfadsfdafdffdafsdafsd - --VN 3/3/2/0/0 0/0 {} "POST /GTConnect/UnifiedAcceptor/?mode=pushconnect&logicalSessionID=AddKnowPageSetServices.Implementation.PageSetV1.RestPageSet&window=primaryWindow HTTP/1.1"

 
May  2 12:46:01 localhost haproxy[59527]: XX.XX.XX.XX:2113 [02/May/2021:12:46:01.533] vendor km_indexer/km-indexer-hostname 0/0/0/6/6 200 126 - - ---- 3/3/0/0/0 0/0 {} "GET /search-contribution/admin/v1/isIndexFieldCacheStale?timestamp=1619842290988 HTTP/1.1"

 
May  2 12:45:42 localhost haproxy[56287]: XX.XX.XX.XX:39617 [02/May/2021:12:45:42.144]  vendor agent_service/agent-services-hostname 0/0/0/154/155 200 2646 - - ---- 3/3/0/0/0 0/0 {} "GET /agent-service/defauasfdasfsdfsions?profiletest HTTP/1.1"


May  2 12:45:42 localhost haproxy[59527]: XX.XX.XX.XX:46529 [02/May/2021:12:45:41.950] vendor cre_services/cre-services-hostname 0/0/0/362/362 200 2829 - - ---- 2/2/0/0/0 0/0 {} "POST /oidc-token-service/default/token HTTP/1.1"

May  2 12:45:42 localhost haproxy[15523]: XX.XX.XX.XX:42189 [02/May/2021:12:45:41.992] vendor agent_synchronizer/agent-synchronizer-hostname 0/0/0/142/142 200 627 - - ---- 2/2/0/0/0 0/0 {} "POST /agent-synchronizer/default/synchronizedAgent HTTP/1.1"

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

\[[^\]]+\]\s+\w+\s(?<service>[^\/]+)\/((\w+\-)*?|)(?<hostname>\w+)(\-(?<port>\d+)|)?\s(\d+\/){4}(?<response>\d+)\s+

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...