Splunk Search

Regex apache log when field is undefined

DFresh4130
Path Finder

We have some apache logs that I've added the %D (response time in microseconds) log config to at the very end. The splunk configuration is not set up on these servers to match each field so the response time at the end is currently undefined. Below is an example of the log output and the pipes are the field delimiters in apache, but the splunk config isn't using that.

192.168.254.2|-|-|[05/Jun/2014:18:33:35 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2788571
192.168.254.2|-|-|[05/Jun/2014:18:35:43 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3125614
192.168.254.2|-|-|[05/Jun/2014:18:45:42 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2506712

I've tried the following rex string and it returns search results. However, if I add something like timechart avg(MicroSeconds) I get no data for the response times. Is there anything I can do without modifying the splunk configuration on the server itself? I'd like to avoid modifying the splunk config if possible.

sourcetype=access_combined POST | rex field=_raw "(?<response_time>\d([0-9]{6-12}))"

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk
Splunk Employee
Splunk Employee

awesome. Would you mind "accepting" the answer? Otherwise, the question kind of hangs out in limbo. Glad you found your typo!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

DFresh4130
Path Finder

I found my typo not long after posting this. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...