Splunk Search

Regex apache log when field is undefined

DFresh4130
Path Finder

We have some apache logs that I've added the %D (response time in microseconds) log config to at the very end. The splunk configuration is not set up on these servers to match each field so the response time at the end is currently undefined. Below is an example of the log output and the pipes are the field delimiters in apache, but the splunk config isn't using that.

192.168.254.2|-|-|[05/Jun/2014:18:33:35 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2788571
192.168.254.2|-|-|[05/Jun/2014:18:35:43 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3125614
192.168.254.2|-|-|[05/Jun/2014:18:45:42 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2506712

I've tried the following rex string and it returns search results. However, if I add something like timechart avg(MicroSeconds) I get no data for the response times. Is there anything I can do without modifying the splunk configuration on the server itself? I'd like to avoid modifying the splunk config if possible.

sourcetype=access_combined POST | rex field=_raw "(?<response_time>\d([0-9]{6-12}))"

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk
Splunk Employee
Splunk Employee

awesome. Would you mind "accepting" the answer? Otherwise, the question kind of hangs out in limbo. Glad you found your typo!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

DFresh4130
Path Finder

I found my typo not long after posting this. Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...