Solved: Regular expression to extract http status

thenormalone · ‎03-10-2021

I have http statuses that come in from 2 different indexes, with almost the same event but the event from one indexer has a combination of space and comma as a delimiter and other just has spaces.

How do I split the event from the search string such that I get the status from both indexes. I have

| rex field=_raw "^(?:[^\s]*\s){8}(?P<statusCode>\d+)"

but this only check for space, I need to also include comma as a delimiter too

ITWhisperer · ‎03-10-2021

| rex field=_raw "^(?:[^\"]*\"){2}\s(?P<statusCode>\d+)"

View solution in original post

ITWhisperer · ‎03-10-2021

Do you have examples of the two types of logs that you can share?

thenormalone · ‎03-10-2021

example from indexer 1:

172.22.83.162 - - [10/Jul/2018:14:46:42 +0000] "GET /tests/benefits HTTP/1.1" 200 337 "-" "Ruby" 0

example from indexer 2:

172.22.83.162 - - [10/Jul/2018:14:46:42,+0000] "GET /tests/benefits HTTP/1.1" 200 337 "-" "Ruby" 0

The timestamp has a comma instead of a space

ITWhisperer · ‎03-10-2021

| rex field=_raw "^(?:[^\"]*\"){2}\s(?P<statusCode>\d+)"

Regular expression to extract http status

eval

regex

rex

stats

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!