Solved: rex for http2 field in log

he204035 · ‎01-27-2022

In the following log entry as "_raw":

"OPTIONS /nnrf-nfm/v1 HTTP/2.0" 405 173 "-" "gmlc-http-client/2.0" "-"

I have successful rex for the "405" error field location and "173" error field location.

I would like to build a rex to identify the "gmlc-http-client" section of that log entry. (That field can show several different client types between those quotes.)

My rex is as follows:

rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\""

This rex does not error, but the result comes back as null/blank.

johnhuang · ‎01-27-2022

Try these. One is greedier than the other.

| rex field=_raw "\"OPTIONS([^\"]*)?HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

| rex field=_raw "HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

View solution in original post

yuanliu · ‎01-28-2022

rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\""
This rex does not error, but the result comes back as null/blank.

The expression "(?<Error3>)" positively looks for zero-length match, hence zero-length Error3. @johnhuang's suggestion of (?<Error3>[^\"]+) will fix this. Overall, the above is too rigid. Although httpd logs are highly standard, it is not safe to assume that a blank field ("-") will always be blank, for example. Expressions like [^\"]+ are good lubricants for this purpose.

johnhuang · ‎01-27-2022

Try these. One is greedier than the other.

| rex field=_raw "\"OPTIONS([^\"]*)?HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

| rex field=_raw "HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

he204035 · ‎01-28-2022

The second suggestion did the trick. Thank you!

rex for http2 field in log

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!