Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Rex query to extract field after a part...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonthree
Explorer
03-15-2021
07:15 AM
So this is my sample data :
10.3.31.252 - - 15/Mar/2021:14:06:28 +0000 "POST /usenames/rest/sessionscookie dest oamdashboard-oamdashboard.myapp.com/usenames/rest/sessionscookie location usenames upstream_host 10.3.58.247:80 response_from_above 401 user- - - - - myuser myuser 1
I want to extract the status code from this string (which is 401) and user value which is myuser (BOLD sentence mentioned in above logs)
How should i write a rex for this in splunk search query ? Also it may happen that status code does not contain any value and instead of 401, value will be simply hyphen(-).
Also, hyphens after user field may vary and i want exactly 5 hyphens to match the word, otherwise not.
I tried to achieve this by using following:
| rex "response_from_above (?<status>\d+) user - - - - - (?<userid>\w+)" but i am not able to figure this out.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vardhan
Contributor
03-16-2021
10:59 PM
Hi @jonthree,
You can search the status logs using search command.
| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401
This search will only return status 401 logs.
If this answer helps you then up vote it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vardhan
Contributor
03-15-2021
07:23 AM
Hi,
use the below regex.
| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonthree
Explorer
03-16-2021
10:51 PM
Thanks. Also, how do i search for a particular status on this ..like if i want to search the logs having 401 status code only and not with status code 200 or 500 ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vardhan
Contributor
03-16-2021
10:59 PM
Hi @jonthree,
You can search the status logs using search command.
| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401
This search will only return status 401 logs.
If this answer helps you then up vote it.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
