Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction-- Grab 3 digits between fixed words

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 12:28 PM

I have 3 different status codes which I need extracted, the words around them will be fixed and never change

I will have 3 different status codes (200, 400, 0)

So far I have 

^StatusCode>(?P<StatusCode>\d{1,3})

It will always look like this

<a:StatusCode>200</a:StatusCode>
<a:StatusCode>400</a:StatusCode>
<a:StatusCode>0</a:StatusCode>

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 06:17 PM

This worked perfectly! I didn't know you could extract in props.conf, that's good to know

Can you elaborate on KV_MODE=xml?

Thanks for your help!!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-20-2015 06:22 PM

from the docs on props.conf http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Propsconf

Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
    * xml : automatically extracts fields from XML data.
Reply
Solved! Jump to solution

regexcracker
New Member
‎05-20-2015 12:40 PM

If the logger is in xml format then use

mysearch | xmlkv | search StatusCode | table StatusCode

if its a normal logger,

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

OR try

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:12 PM

Thanks for the reply. I need to extract a field so my team can use it at anytime. Any suggestions on the regex for extracting the field?

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-20-2015 03:00 PM

here you go: ..|rex field=_raw "\&lt;a\:StatusCode\&gt;(?&lt;statuscode&gt;\d+)\&lt;"|table statuscode

SGF
0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎05-20-2015 12:39 PM

rex "(?i)StatusCode\W(?P&lt;StatusCode&gt;.\d+)\W"

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:15 PM

Thanks for the reply. Nothing appeared when I put this in

index=uvtrans ...| rex "(?i)StatusCode\W(?P<StatusCode>.\d+)\W"

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...