Splunk Search

Regex apache log when field is undefined

Path Finder

We have some apache logs that I've added the %D (response time in microseconds) log config to at the very end. The splunk configuration is not set up on these servers to match each field so the response time at the end is currently undefined. Below is an example of the log output and the pipes are the field delimiters in apache, but the splunk config isn't using that.

192.168.254.2|-|-|[05/Jun/2014:18:33:35 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2788571
192.168.254.2|-|-|[05/Jun/2014:18:35:43 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|3125614
192.168.254.2|-|-|[05/Jun/2014:18:45:42 -0400]|"POST /order/app1/123 HTTP/1.0"|200|284|"-"|"Jakarta Commons-HttpClient"|2506712

I've tried the following rex string and it returns search results. However, if I add something like timechart avg(MicroSeconds) I get no data for the response times. Is there anything I can do without modifying the splunk configuration on the server itself? I'd like to avoid modifying the splunk config if possible.

sourcetype=access_combined POST | rex field=_raw "(?<response_time>\d([0-9]{6-12}))"

0 Karma
1 Solution

Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Splunk Employee
Splunk Employee

You're close...
But you have the {min,max} notation with the wrong delimiter


so you can use
(?<response_time>\d{6,12})
or you can use
(?<response_time>[0-9]{6,12})
or you can use
(?<response_time>\d([0-9]{6,12})
And they will all grab the response time field for you...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Splunk Employee
Splunk Employee

awesome. Would you mind "accepting" the answer? Otherwise, the question kind of hangs out in limbo. Glad you found your typo!

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

Path Finder

I found my typo not long after posting this. Thanks!

0 Karma