Splunk Search

Regex apache log when field is undefined

DFresh4130
Path Finder

We have some apache logs that I've added the %D (response time in microseconds) log config to at the very end. The splunk configuration is not set up on these servers to match each field so the response time at the end is currently undefined. Below is an example of the log output and the pipes are the field delimiters in apache, but the splunk config isn't using that.

192.168.254.2|-|-|[05/Jun/2014:18:33:35 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2788571
192.168.254.2|-|-|[05/Jun/2014:18:35:43 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3125614
192.168.254.2|-|-|[05/Jun/2014:18:45:42 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2506712

I've tried the following rex string and it returns search results. However, if I add something like timechart avg(MicroSeconds) I get no data for the response times. Is there anything I can do without modifying the splunk configuration on the server itself? I'd like to avoid modifying the splunk config if possible.

sourcetype=access_combined POST | rex field=_raw "(?<response_time>\d([0-9]{6-12}))"

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk
Splunk Employee
Splunk Employee

awesome. Would you mind "accepting" the answer? Otherwise, the question kind of hangs out in limbo. Glad you found your typo!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

DFresh4130
Path Finder

I found my typo not long after posting this. Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...