Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction-- Grab 3 digits between fixed words

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 12:28 PM

I have 3 different status codes which I need extracted, the words around them will be fixed and never change

I will have 3 different status codes (200, 400, 0)

So far I have 

^StatusCode>(?P<StatusCode>\d{1,3})

It will always look like this

<a:StatusCode>200</a:StatusCode>
<a:StatusCode>400</a:StatusCode>
<a:StatusCode>0</a:StatusCode>

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 06:17 PM

This worked perfectly! I didn't know you could extract in props.conf, that's good to know

Can you elaborate on KV_MODE=xml?

Thanks for your help!!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-20-2015 06:22 PM

from the docs on props.conf http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Propsconf

Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
    * xml : automatically extracts fields from XML data.
Reply
Solved! Jump to solution

regexcracker
New Member
‎05-20-2015 12:40 PM

If the logger is in xml format then use

mysearch | xmlkv | search StatusCode | table StatusCode

if its a normal logger,

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

OR try

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:12 PM

Thanks for the reply. I need to extract a field so my team can use it at anytime. Any suggestions on the regex for extracting the field?

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-20-2015 03:00 PM

here you go: ..|rex field=_raw "\&lt;a\:StatusCode\&gt;(?&lt;statuscode&gt;\d+)\&lt;"|table statuscode

SGF
0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎05-20-2015 12:39 PM

rex "(?i)StatusCode\W(?P&lt;StatusCode&gt;.\d+)\W"

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:15 PM

Thanks for the reply. Nothing appeared when I put this in

index=uvtrans ...| rex "(?i)StatusCode\W(?P<StatusCode>.\d+)\W"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...