Solved: regex and rex issue advise for extraction of http ...

g_prez · ‎07-13-2011

Trying to do an inline regex on the snip of log below.
The item that I am trying to extract is the hostname admin.testweb.com or at least that Host: field
The regex that I came up with was "Host:\s(?P)<013>
But what I am getting out of that regex is "admin.testweb.com<013><010>Content-Length: 797"
What I am trying to get out of the extraction is .. admin.testweb.com

Help ?

Accept-Language: en-us<013><010>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)<013><010>Content-Type: application/x-www-form-urlencoded<013><010>Accept-Encoding: gzip, deflate<013><010>Host: admin.testweb.com<013><010>Content-Length: 797<013><010>Connection:

David · ‎07-13-2011

Perhaps try "Host:\s(?<web_host>[^\<]*"?

[^ABC]* will find match any string until it hits either an A, B or C, and I've found it works very well for Splunk Regexs. I would assume you have to escape a <, but potentially you can try "Host:\s(?<web_host>[^<]*" as well.

View solution in original post

g_prez · ‎07-15-2011

yep that did the trick and I did not have to escape the < !

David · ‎07-20-2011

Excellent! I'm glad to hear it.

David · ‎07-13-2011

Perhaps try "Host:\s(?<web_host>[^\<]*"?

[^ABC]* will find match any string until it hits either an A, B or C, and I've found it works very well for Splunk Regexs. I would assume you have to escape a <, but potentially you can try "Host:\s(?<web_host>[^<]*" as well.

regex and rex issue advise for extraction of http headers

Help ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life