Splunk Search

Need to create rex group expression

ravir_jbp
Explorer

Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:31872 [30/Apr/2021:09:13:30.362] verint rest_service/rest-hostname-8780 0/0/0/10/12 302 1973 - X-CSRF-TOKEN=NtOTKgh2hfTpjwTuRmx269ZR5qQhDRUtAOf0 ---- 32/32/6/0/0 0/0 {} "GET /test/te/ping/login HTTP/1.1"

Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:52353 [30/Apr/2021:09:13:30.322] verint rest_service/rest-hostname-8680 0/0/0/1/1 200 11537 - - ---- 32/32/6/1/0 0/0 {} "GET /filterservices/css/filters.css HTTP/1.1" Apr 30 09:13:30 localhost haproxy[22865]: 10.10.10.10:42112

[30/Apr/2021:09:13:30.059] verint rest_service/rest-hostname-8780 0/0/12/143/202 200 122948 - - ---- 32/32/7/0/0 0/0 {} "GET /verintkm/js/tree.jquery.js HTTP/1.1"

the below rex expression is working fine until the port number for above events. Now I am trying add expression for "0/0/12/143/202 200". After the port group I need to create another group name (response time) for the value 202 which is the last value after forward slash.[expr/expres/expre/expres/group name]

 

\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s+

 

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
\[[^\]]+\]\s\w+\s(?<service>[^\/]+)\/\w+\-(?<hostname>\w+)\-(?<port>\d+)\s+(\d+\/){4}(?<response>\d+)\s+
0 Karma

ravir_jbp
Explorer

@ITWhisperer 

Thank you for your quick reponse. This script worked for two type of events. When I tried to search I have 14 different type of events in Haproxy logs. in regix101 site I was able to find only two type of events. I have mentioned the 14 different type of events. Can you help me to add few expression so that it matches for all evets. I tried for many hours by not getting the group name field.  Please help.

 

May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:64321 [02/May/2021:12:46:10.887] vendor tag_service/tag-service-hostname 0/0/0/4/4 200 1384 - - ---- 2/2/0/0/0 0/0 {} "GET /km-tag-service/default/tag/newchange?flatten=true&size=150 HTTP/1.1"


May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:30273 [02/May/2021:12:46:10.801] vendor apache_static/apache-hostname 0/0/0/21/22 200 21076 - - ---- 3/3/0/0/0 0/0 {} "GET /filestorage/KM/files/uploaded/ssfadfadfasdf HTTP/1.1"



May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:46529 [02/May/2021:12:46:10.576] vendor km_bookmark_service/km-bookmark-hostname 0/0/0/198/198 200 1204 - - ---- 2/2/0/0/0 0/0 {} "GET /km-bookmark-service/default/bookmark/test/KfsafasdfsadffdfdfsdF79?lang=en-US HTTP/1.1"


May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:65505 [02/May/2021:12:46:10.599] vendor soap_services/soap-hostname-8281 0/0/0/166/166 200 26596 - - ---- 4/4/0/0/0 0/0 {} "POST /GTConnect/StatelessSoapAcceptor/?gtxInitialProcess=AddKnowContentServices.API.BookmarkService.KMBookmarkServiceV1 HTTP/1.1"



May  2 12:46:10 localhost haproxy[59527]: XX.XX.XX.XX:34269 [02/May/2021:12:46:10.578] vendor all_solr_servers/solr-slave-hostname 0/0/0/8/10 200 2777 - - ---- 4/4/0/0/0 0/0 {} "POST /solr/KM/select HTTP/1.1"

 
May  2 12:46:10 localhost haproxy[56287]: XX.XX.XX.XX:5697 [02/May/2021:12:46:09.960] vendor asset_service/asset-service-hostname 0/0/0/868/870 200 25069 - - ---- 3/3/0/0/0 0/0 {} "GET /km-asset-service/default/asset/file/Hospital_Reference_Laboratory_Protocol_Denial_Time1617629752632.htm?contentID=KMlJd3VMJI5Q8E08h95F79&lang=en-US&version=10.0 HTTP/1.1"


 
May  2 12:46:10 localhost haproxy[15523]: XX.XX.XX.XX:15361 [02/May/2021:12:46:10.429] vendor km_content_service/km-content-hostname 0/0/0/227/227 204 252 - - ---- 1/1/1/0/0 0/0 {} "POST /km-content-service/default/content/vkm:AuthoredContent/46eccba9-2902-4c9b-a51b-4669726ddbc5/en-US?externalSearchId=asfafasdfdsfsadfdfadfsafasdfc HTTP/1.1"


May  2 12:46:10 localhost haproxy[14380]: XX.XX.XX.XX:43521 [02/May/2021:12:46:09.945] vendor rest_service/rest-hostname-8780 0/0/0/887/887 200 21245 X-CSRF-TOKEN=2ofYcQfOxKKvm938FvZt79rSWXPnc7yqr91f - ---- 4/4/0/0/0 0/0 {} "GET /contentservices/km/asset/gasdfasdfsd.test.com%3A443 HTTP/1.1"


May  2 12:46:05 localhost haproxy[15523]: XX.XX.XX.XX:12647 [02/May/2021:12:46:05.720] vendor km_search_service/km-search-hostname 0/0/0/271/272 200 66149 - - ---- 0/0/0/0/0 0/0 {} "GET /km-search-service/default/search?query=search%20callback&tag=kbas HTTP/1.1"

 
May  2 12:46:02 localhost haproxy[22865]: XX.XX.XX.XX:26962 [02/May/2021:12:44:02.074] vendor agent_desktop/hostname-8283 0/0/0/120003/120003 200 8857 X-CSRF-TOKEN=adfadsfdafdffdafsdafsd - --VN 3/3/2/0/0 0/0 {} "POST /GTConnect/UnifiedAcceptor/?mode=pushconnect&logicalSessionID=AddKnowPageSetServices.Implementation.PageSetV1.RestPageSet&window=primaryWindow HTTP/1.1"

 
May  2 12:46:01 localhost haproxy[59527]: XX.XX.XX.XX:2113 [02/May/2021:12:46:01.533] vendor km_indexer/km-indexer-hostname 0/0/0/6/6 200 126 - - ---- 3/3/0/0/0 0/0 {} "GET /search-contribution/admin/v1/isIndexFieldCacheStale?timestamp=1619842290988 HTTP/1.1"

 
May  2 12:45:42 localhost haproxy[56287]: XX.XX.XX.XX:39617 [02/May/2021:12:45:42.144]  vendor agent_service/agent-services-hostname 0/0/0/154/155 200 2646 - - ---- 3/3/0/0/0 0/0 {} "GET /agent-service/defauasfdasfsdfsions?profiletest HTTP/1.1"


May  2 12:45:42 localhost haproxy[59527]: XX.XX.XX.XX:46529 [02/May/2021:12:45:41.950] vendor cre_services/cre-services-hostname 0/0/0/362/362 200 2829 - - ---- 2/2/0/0/0 0/0 {} "POST /oidc-token-service/default/token HTTP/1.1"

May  2 12:45:42 localhost haproxy[15523]: XX.XX.XX.XX:42189 [02/May/2021:12:45:41.992] vendor agent_synchronizer/agent-synchronizer-hostname 0/0/0/142/142 200 627 - - ---- 2/2/0/0/0 0/0 {} "POST /agent-synchronizer/default/synchronizedAgent HTTP/1.1"

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

\[[^\]]+\]\s+\w+\s(?<service>[^\/]+)\/((\w+\-)*?|)(?<hostname>\w+)(\-(?<port>\d+)|)?\s(\d+\/){4}(?<response>\d+)\s+

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!