Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my regular expression to extract numbe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
09-07-2016
12:54 PM
I have this statement:
10.211.1.114 10.222.3.33:4331 - 2016-09-07 14:10:06 0.004 GET /openapi-rest-web/akamai-object.htm - 200 6548 "Java/1.7.0_45" "54.444.444.444" - null [corRID::null] [KEY::-HTTPMonitor-Loyalty] [UID::-]
I am trying to grab the 0.004
10.200.1.200 10.002.0.98:012 - 2016-09-07 14:40:06 0.39 POST /openapi-rest-web/v1/kohlsCash - 200 918 "Apache-HttpClient/4.3.3 (java 1.5)" "100.100.00.187, 144.41.141.00, 144.41.141.44, 54.009.200.002, 144.41.141.44" - null [corRID::NAID-iOS-98797AB9-2978-4987-90CA-059879789-1473276124.978987] [KEY::NUNlVg4532432523mLL8MEpqVvxW9] [UID::-]
I am trying to grab the 0.39
I have this regular expression so far: ^.*(GET|POST)
Which gets me everything before the GET or POST
Any suggestions?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-07-2016
01:04 PM
Try this
... | rex "(?<numbers>\d+\.\d+)\s(GET|POST)" | table numbers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
09-07-2016
01:25 PM
This should do it
your base search | rex "^(\S+\s+){5}(?<YourFieldName>\S+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
09-07-2016
01:04 PM
Try this
... | rex "(?<numbers>\d+\.\d+)\s(GET|POST)" | table numbers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
09-07-2016
01:22 PM
Doesn't seem to work sorry, only getting blank null entries using that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
09-07-2016
01:26 PM
| rex "(?\d+\.\d+)\s(GET|POST)" | where match(response_time,"[a-zA-Z0-9]")| table response_time
This did it
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
