Solved: Why is the regular expression for rex in my search...

dbcase · ‎08-08-2016

Hi,

I have this data

fn.util.SingleDeviceDebugger - RCVD REST request from premise 101: GET /rest/icontrol/login HTTP/1.1 Host: betamax-portal1:8080 X-ClientInfo: 7.3.7.49 X-loginEncoded: false Accept: */* X-password: ******** X-AppKey: defaultKey X-allowNonActivatedLogin: true X-Device-Name: Corey's iPhone Cache-Control: no-cache Accept-Language: en-us Accept-Encoding: gzip, deflate X-login: coreyq User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G34 X-Device-Id: 64020C05-5038-4F4C-A39C-EE5FA4C27720 X-format: json Cookie: JSESSIONID=9wNqgG6jvrOAbC6QjgOlkhusReOT9xhNtSEPvKOrmke0utWnUuY6!-823929644 X-expires: 1800000 X-Device-Type: Device Via: 1.1 beta.icontrol.com X-Forwarded-For: 63.239.122.42 X-Forwarded-Host: beta.icontrol.com X-Forwarded-Server: beta.icontrol.com Connection: close expand: sites,instances,points,functions

and this regex User-Agent:\s(.+?)\s(?<status>)

Rex 101 shows that it matches, but when I use it in Splunk I get zero matches

earliest=-6h host="*beta*" index=wls sourcetype=wls_managedserver "X-login"|rex "User-Agent:\s(.+?)\s(?<status>)"

sundareshr · ‎08-08-2016

Try this

... | rex "User-Agent:\s(?<ua>[^\s]+)" | ...

View solution in original post

JDukeSplunk · ‎08-08-2016

Try this

|rex field=_raw "User-Agent: (?P<User_Agent>[^\(]+)"

dbcase · ‎08-08-2016

That worked! Many many thanks!!!! One other thing I'm trying to do is get the Chrome/51.0.2704.81 portion

com.ucontrol.rest.security.LoggingFilter - RCVD REST request: GET /rest/icontrol/login HTTP/1.1 Host: betamax-portal2:8080 Pragma: no-cache Cache-Control: no-cache X-AppKey: defaultKey X-allowNonActivatedLogin: true X-password: ******** X-format: json X-loginEncoded: false User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Robin Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile Safari/537.36 X-login: nvelie X-ClientInfo: 7.3.6.26 X-expires: 1800000 Accept: / Accept-Encoding: gzip, deflate Accept-Language: en-US Cookie: JSESSIONID=BXVqeOwp3DpPlNsks1mLjlMk6sNXPLMhvxVex2du6d84Tr6--3lF!-594369723 X-Requested-With: com.icontrol.converge.mobileapp Via: 1.1 beta.icontrol.com X-Forwarded-For: 24.227.215.211 X-Forwarded-Host: beta.icontrol.com X-Forwarded-Server: beta.icontrol.com Connection: close expand: sites,instances,points,functions

dbcase · ‎08-08-2016

and of course Chrome/51.0.2704.81 could be safari, another version of chrome, firefox, etc

sundareshr · ‎08-08-2016

Try this

... | rex "User-Agent:\s(?<ua>[^\s]+)" | ...

dbcase · ‎08-08-2016

Ah nevermind, I see what you are doing.... That works! Thanks!

sundareshr · ‎08-08-2016

What are you trying to capture for status? Did it work?

dbcase · ‎08-08-2016

Hmmmm still not matching

earliest=-6h host="beta" index=wls sourcetype=wls_managedserver "X-login"| rex "User-Agent:\s(?< ua >[^\s]+)(?< status >)"|timechart count by status (spaces have been removed in the real query)

This query gives the status field but only 1 value, NULL

dbcase · ‎08-08-2016

Oh, one more bit of info, I'm trying to extract the Mozilla/5.0 text just after User-Agent:

Why is the regular expression for rex in my search not extracting the field from my sample data?

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...