Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Rex query to extract field after a particular exact word only

jonthree
Explorer
‎03-15-2021 07:15 AM

So this is my sample data :

10.3.31.252 - - 15/Mar/2021:14:06:28 +0000 "POST /usenames/rest/sessionscookie dest oamdashboard-oamdashboard.myapp.com/usenames/rest/sessionscookie location usenames upstream_host 10.3.58.247:80 response_from_above 401 user- - - - - myuser myuser 1

 

I want to extract the status code from this string (which is 401) and user value which is myuser (BOLD sentence mentioned in above logs)

How should i write a rex for this in splunk search query ? Also it may happen that status code does not contain any value and instead of 401, value will be simply hyphen(-).

Also, hyphens after user field may vary and i want exactly 5 hyphens to match the word, otherwise not.

I tried to achieve this by using following:

| rex "response_from_above (?<status>\d+) user - - - - - (?<userid>\w+)" but i am not able to figure this out.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vardhan
Contributor
‎03-16-2021 10:59 PM

Hi @jonthree,

You can search the status logs using search command.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401

This search will only return status 401 logs.

If this answer helps you then up vote it.

View solution in original post

Reply
Solved! Jump to solution

Vardhan
Contributor
‎03-15-2021 07:23 AM

Hi,

use the below regex.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d"

Reply
Solved! Jump to solution

jonthree
Explorer
‎03-16-2021 10:51 PM

Thanks. Also, how do i search for a particular status on this ..like if i want to search the logs having 401 status code only and not with status code 200 or 500 ?

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

Vardhan
Contributor
‎03-16-2021 10:59 PM

Hi @jonthree,

You can search the status logs using search command.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401

This search will only return status 401 logs.

If this answer helps you then up vote it.

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...