I am looking for the group name from the phonehome command.
I tried the auto extractor and it was only marginally helpful.
Here is the line to read:
POST /services/broker/phonehome/connection_xxx.xxx.xxx.xxx_xxxx_mysystem.com_mysystem_aa HTTP/1.0
The piece i am trying to find is the group name "aa" at the end of the string just before the \sHTTP/
I don't know how to right a regex to look back from the HTTP to find the two group letters. (always only two letters)
Any help would be great
If it is always only two letters, and they are always lowercase, the following should work:
(?<GroupName>[a-z]{2})\sHTTP
You can add A-Z inside the [] if they could be uppercase letters. If you want to try this extraction in Splunk, try:
...your search... | rex "(?<GroupName>[a-z]{2})\sHTTP"
If it is always only two letters, and they are always lowercase, the following should work:
(?<GroupName>[a-z]{2})\sHTTP
You can add A-Z inside the [] if they could be uppercase letters. If you want to try this extraction in Splunk, try:
...your search... | rex "(?<GroupName>[a-z]{2})\sHTTP"
this is great thanks
Sure, not a problem. Using the sample event, this regex should work to extract both fields:
\_(?<SystemName>[^\_]+)\_(?<GroupName>[a-z]{2})\sHTTP
Thanks for the help.
If you don't mind can you please help with the regex to extract the "mysystem" name just before the _aa