Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction-- Grab 3 digits between fixed words

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 12:28 PM

I have 3 different status codes which I need extracted, the words around them will be fixed and never change

I will have 3 different status codes (200, 400, 0)

So far I have 

^StatusCode>(?P<StatusCode>\d{1,3})

It will always look like this

<a:StatusCode>200</a:StatusCode>
<a:StatusCode>400</a:StatusCode>
<a:StatusCode>0</a:StatusCode>

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎05-20-2015 01:25 PM

In props.conf, under the stanza for this sourcetype (lets pretend it is called foo):

[foo]
EXTRACT-statuscode=^<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>$

That should do it. You might have to strip the anchors (either ^ or $) if the event doesn't always appear on a line by itself with no leading whitespace.

The the event is 100% XML, you might try this instead:

[foo]
KV_MODE=xml
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 06:17 PM

This worked perfectly! I didn't know you could extract in props.conf, that's good to know

Can you elaborate on KV_MODE=xml?

Thanks for your help!!

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-20-2015 06:22 PM

from the docs on props.conf http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Propsconf

Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
    * xml : automatically extracts fields from XML data.
Reply
Solved! Jump to solution

regexcracker
New Member
‎05-20-2015 12:40 PM

If the logger is in xml format then use

mysearch | xmlkv | search StatusCode | table StatusCode

if its a normal logger,

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

OR try

mysearch | rex field=_raw "(?<code>\d+)" | table StatusCode

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:12 PM

Thanks for the reply. I need to extract a field so my team can use it at anytime. Any suggestions on the regex for extracting the field?

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-20-2015 03:00 PM

here you go: ..|rex field=_raw "\&lt;a\:StatusCode\&gt;(?&lt;statuscode&gt;\d+)\&lt;"|table statuscode

SGF
0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎05-20-2015 12:39 PM

rex "(?i)StatusCode\W(?P&lt;StatusCode&gt;.\d+)\W"

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-20-2015 01:15 PM

Thanks for the reply. Nothing appeared when I put this in

index=uvtrans ...| rex "(?i)StatusCode\W(?P<StatusCode>.\d+)\W"

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...