Has anyone extracted requests via the transforms? Here is a request:
request="
GET /poormanscron/run-cron-check HTTP/1.1\r\n
Host: x.y.edu\r\n
Connection: keep-alive\r\n
Accept: */*\r\n
X-Requested-With: XMLHttpRequest\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36\r\n
Referer: https://x.y.edu/financial-assistance\r\n
Accept-Encoding: gzip, deflate, sdch, br\r\n
Accept-Language: en-US,en;q=0.8\r\n
Cookie: SESS0764812227b85da9e7ceb1311b5f950e=38v7r59t6scm9l02geuthpc5u7; TS01f58e10=0134f538f1e08d9f9d835b438c8361643992f8dc5a4d270d8e1652970585e3345f954dbc6da74b8946acd7b38a6e8dc63931106a31; TS018c07de_77=0838ed4c3cab28005afebacfed6da5eda6d3b209abd823273aa05738bdb18bf4c560496fb71daf3170ad3ebc28ccf0ab0828c52475823800599c3b63a9af76589385764d9c42d62f69e62745f94bf7b339537549fdac65782526adf6584fb5e8dce96e5ba1b8241d24b13014e5029c14; TS018c07de=0134f538f1e026a86801ef06f832b83fef8a674a7f899a706c4086919c209142555e93a47f; has_js=1\r\n
If-Modified-Since: Thu, 09 Jun 2016 19:49:28 GMT\r\n
\r\n
",
Wondering if the fields within the request can be extracted via transforms, or if these have to be extracted manually?
Thx,
Jeff
Anything that you can build a RegEx for can be made an automatic extraction. Build it manually with rex
first and then translate it to props.conf and transforms.conf.
Thx for the reply
You can build with regex101.com first, to make it easier.
You should be able to extract using the field transformations ui
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms
Thx for the reply