Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex and rex issue advise for extraction of http headers

g_prez
Path Finder
‎07-13-2011 04:51 AM

Trying to do an inline regex on the snip of log below.
The item that I am trying to extract is the hostname admin.testweb.com or at least that Host: field
The regex that I came up with was "Host:\s(?P)<013>
But what I am getting out of that regex is "admin.testweb.com<013><010>Content-Length: 797"
What I am trying to get out of the extraction is .. admin.testweb.com

Help ?

Accept-Language: en-us<013><010>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)<013><010>Content-Type: application/x-www-form-urlencoded<013><010>Accept-Encoding: gzip, deflate<013><010>Host: admin.testweb.com<013><010>Content-Length: 797<013><010>Connection:

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎07-13-2011 12:42 PM

Perhaps try "Host:\s(?<web_host>[^\<]*"?

[^ABC]* will find match any string until it hits either an A, B or C, and I've found it works very well for Splunk Regexs. I would assume you have to escape a <, but potentially you can try "Host:\s(?<web_host>[^<]*" as well.

View solution in original post

Reply
Solved! Jump to solution

g_prez
Path Finder
‎07-15-2011 02:14 PM

yep that did the trick and I did not have to escape the < !

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎07-20-2011 11:27 AM

Excellent! I'm glad to hear it.

0 Karma
Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎07-13-2011 12:42 PM

Perhaps try "Host:\s(?<web_host>[^\<]*"?

[^ABC]* will find match any string until it hits either an A, B or C, and I've found it works very well for Splunk Regexs. I would assume you have to escape a <, but potentially you can try "Host:\s(?<web_host>[^<]*" as well.

Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...