So this is my sample data :
10.3.31.252 - - 15/Mar/2021:14:06:28 +0000 "POST /usenames/rest/sessionscookie dest oamdashboard-oamdashboard.myapp.com/usenames/rest/sessionscookie location usenames upstream_host 10.3.58.247:80 response_from_above 401 user- - - - - myuser myuser 1
I want to extract the status code from this string (which is 401) and user value which is myuser (BOLD sentence mentioned in above logs)
How should i write a rex for this in splunk search query ? Also it may happen that status code does not contain any value and instead of 401, value will be simply hyphen(-).
Also, hyphens after user field may vary and i want exactly 5 hyphens to match the word, otherwise not.
I tried to achieve this by using following:
| rex "response_from_above (?<status>\d+) user - - - - - (?<userid>\w+)" but i am not able to figure this out.
You can search the status logs using search command.
| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d" |search status=401
This search will only return status 401 logs.
If this answer helps you then up vote it.
View solution in original post
use the below regex.
| rex "response_from_above\s+(?<status>\d+)\s+user.*\s+(?<user>\w+)\s+\w+\s+\d"
Thanks. Also, how do i search for a particular status on this ..like if i want to search the logs having 401 status code only and not with status code 200 or 500 ?