Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Rex query to extract field after a particular exact word only

jonthree
Explorer
‎03-15-2021 07:15 AM

So this is my sample data :

10.3.31.252 - - 15/Mar/2021:14:06:28 +0000 "POST /usenames/rest/sessionscookie dest oamdashboard-oamdashboard.myapp.com/usenames/rest/sessionscookie location usenames upstream_host 10.3.58.247:80 response_from_above 401 user- - - - - myuser myuser 1

 

I want to extract the status code from this string (which is 401) and user value which is myuser (BOLD sentence mentioned in above logs)

How should i write a rex for this in splunk search query ? Also it may happen that status code does not contain any value and instead of 401, value will be simply hyphen(-).

Also, hyphens after user field may vary and i want exactly 5 hyphens to match the word, otherwise not.

I tried to achieve this by using following:

| rex "response_from_above (?<status>\d+) user - - - - - (?<userid>\w+)" but i am not able to figure this out.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vardhan
Contributor
‎03-16-2021 10:59 PM

Hi @jonthree,

You can search the status logs using search command.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401

This search will only return status 401 logs.

If this answer helps you then up vote it.

View solution in original post

Reply
Solved! Jump to solution

Vardhan
Contributor
‎03-15-2021 07:23 AM

Hi,

use the below regex.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d"

Reply
Solved! Jump to solution

jonthree
Explorer
‎03-16-2021 10:51 PM

Thanks. Also, how do i search for a particular status on this ..like if i want to search the logs having 401 status code only and not with status code 200 or 500 ?

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

Vardhan
Contributor
‎03-16-2021 10:59 PM

Hi @jonthree,

You can search the status logs using search command.

| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401

This search will only return status 401 logs.

If this answer helps you then up vote it.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...