- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex Look back two characters
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for the group name from the phonehome command.
I tried the auto extractor and it was only marginally helpful.
Here is the line to read:
POST /services/broker/phonehome/connection_xxx.xxx.xxx.xxx_xxxx_mysystem.com_mysystem_aa HTTP/1.0
The piece i am trying to find is the group name "aa" at the end of the string just before the \sHTTP/
I don't know how to right a regex to look back from the HTTP to find the two group letters. (always only two letters)
Any help would be great
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is always only two letters, and they are always lowercase, the following should work:
(?<GroupName>[a-z]{2})\sHTTP
You can add A-Z inside the [] if they could be uppercase letters. If you want to try this extraction in Splunk, try:
...your search... | rex "(?<GroupName>[a-z]{2})\sHTTP"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is always only two letters, and they are always lowercase, the following should work:
(?<GroupName>[a-z]{2})\sHTTP
You can add A-Z inside the [] if they could be uppercase letters. If you want to try this extraction in Splunk, try:
...your search... | rex "(?<GroupName>[a-z]{2})\sHTTP"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is great thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, not a problem. Using the sample event, this regex should work to extract both fields:
\_(?<SystemName>[^\_]+)\_(?<GroupName>[a-z]{2})\sHTTP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help.
If you don't mind can you please help with the regex to extract the "mysystem" name just before the _aa
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
