Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change current regex for field extraction of whole Set-Cookie from Squid events?

psidler
Explorer
‎07-30-2014 12:46 PM

Hi I am trying to extract multiple Set-Cookie from Squid Events.

props.conf

REPORT-set_cookie = extract-set_cookies
REPORT-cookie = extract-cookies

transforms.conf

[extract-set_cookies]
REGEX = (?i)\\nSet-Cookie: (?P<set_cookie>[^\\]+)
MV_ADD = true

[extract-cookies]
REGEX = (?i)\\nCookie: (?P<cookie>[^\\]+)
MV_ADD = true

But now, my field set_cookie has the following content:

jive.security.context=

Here it cutted some content, because the original Set-Cookie from the Event looked like this:

Set-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

What do i have to change in my Regex to get the whole Set-Cookie?

Thanks in Advance for your help.
Regards,
Patrik

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-31-2014 02:05 PM

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-31-2014 02:05 PM

Give this try

your base search | rex "(?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\\r).)*))"

OR

props.conf

EXTRACT-set_cookie = (?i)Set-Cookie:\s*(?P<set_cookie>((?:(?!\\r).)*))
Reply
Solved! Jump to solution

psidler
Explorer
‎07-31-2014 02:33 PM

Thank you very much for your help.
Now i receive the result I expect!

Best Regards,
Patrik

0 Karma
Reply
Solved! Jump to solution

psidler
Explorer
‎07-31-2014 12:50 PM

They are literal character. They appear as \r\n in the message. In SPlunk they look the same as here in this post.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-31-2014 12:47 PM

One more question, I can see some "\r\n" in your logs. Are they literal character "\r\n" or they are new line but got converted here while pasting?

0 Karma
Reply
Solved! Jump to solution

psidler
Explorer
‎07-31-2014 12:41 PM

That is what I expect:

jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly

and that is what I get with my Regular Expression:

jive.security.context=
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-31-2014 12:28 PM

What is the expected value for set_cookie (from the sample event)?

0 Karma
Reply
Solved! Jump to solution

psidler
Explorer
‎07-30-2014 11:13 PM

The whole Event looks like this:

176 192.168.200.176:1096 TCP_MISS/200 779 GET http://community.xmatters.com/__services/v2/rest/browserEvents/1406716809714? - DIRECT/204.93.75.166 application/json "Accept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: de-ch\r\nReferer: http://community.xmatters.com/welcome\r\nx-j-token: no-user\r\nx-requested-with: XMLHttpRequest\r\nContent-Type: application/json\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nHost: community.xmatters.com\r\nProxy-Connection: Keep-Alive\r\nCookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; JSESSIONID=350D94C62712F8858A.; BIGipServerm2s4c5-20-pool=1795401482.20480.0000; __utma=167379756.1989004756.1406722801.1406722801.1406722801.1; __utmb=167379756.1.10.1406722801; __utmc=167379756; __utmz=167379756.1406722801.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lastDocument=Willkommen%20%7C%20xCommunity; _mkto_trk=id:178-CPU-592&token:_mch-xmatters.com-1406722802185-40555\r\n" "HTTP/1.1 200 OK\r\nDate: Wed, 30 Jul 2014 10:41:22 GMT\r\nServer: Apache-Coyote/1.1\r\nP3P: CP=\"CAO PSA OUR\"\r\nX-JIVE-USER-ID: -1\r\nContent-Type: application/json\r\nContent-Length: 76\r\nExpires: Wed, 30 Jul 2014 10:41:22 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, private, max-age=0\r\nX-UA-Compatible: IE=edge\r\nX-JSL: D=4582 t=1406716882338765\r\nSet-Cookie: jive.security.context=\"4Z2cMbTSRIsGjW.LTE=\"; Version=1; Max-Age=2592000; Expires=Fri, 29-Aug-2014 10:41:22 GMT; Path=/;HttpOnly\r\nVary: User-Agent\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r"
0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎07-30-2014 07:37 PM

You may want to post the whole event. The regex can be changed, but to do so, it will most likely require context.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...