Splunk Search

Regex apache log when field is undefined

DFresh4130
Path Finder

We have some apache logs that I've added the %D (response time in microseconds) log config to at the very end. The splunk configuration is not set up on these servers to match each field so the response time at the end is currently undefined. Below is an example of the log output and the pipes are the field delimiters in apache, but the splunk config isn't using that.

192.168.254.2|-|-|[05/Jun/2014:18:33:35 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2788571
192.168.254.2|-|-|[05/Jun/2014:18:35:43 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3125614
192.168.254.2|-|-|[05/Jun/2014:18:45:42 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2506712

I've tried the following rex string and it returns search results. However, if I add something like timechart avg(MicroSeconds) I get no data for the response times. Is there anything I can do without modifying the splunk configuration on the server itself? I'd like to avoid modifying the splunk config if possible.

sourcetype=access_combined POST | rex field=_raw "(?<response_time>\d([0-9]{6-12}))"

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk
Splunk Employee
Splunk Employee

awesome. Would you mind "accepting" the answer? Otherwise, the question kind of hangs out in limbo. Glad you found your typo!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

DFresh4130
Path Finder

I found my typo not long after posting this. Thanks!

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...