Can you help me with a regex field extraction?

season88481 · ‎12-18-2018

Hi guys,

I got some the strange events as follows:

timestamp: xxxx
controlType: xxxx
criticality: false
object: xxxx
replace: xxxx

timestamp: xxxx
controlType: xxxx
criticality: false
controlType2: xxxx
criticality: true
object: xxxx
delete: xxxx

timestamp: xxxx
controlType: xxxx
criticality: false
object: xxxx
add: xxxx

They are multi-line events, and have different line number. The first line of each event starts with a timestamp. The last line of the event ends with an HTTP method, e.g. replace, add, delete.

I want to extract the HTTP method. But cannot get it working.

Here is rex I used:

mybaseSearch| rex field=_raw "^(replace|add|delete)(?<method>\:\s)"

Anyone got a better idea. Sorry not sure how to use keywords as the value of the field.

Many thanks.

Cheers,
Vincent

renjith_nair · ‎12-18-2018

@season88481 ,

Give this a try

|rex field=_raw max_match=0 "(replace|delete|add): (?<METHOD>\S+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Can you help me with a regex field extraction?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

Can you help me with a regex field extraction?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University