Splunk Search

Regex that covers both cases

lpolo
Motivator

I have the following log events both on the same source log:

Log 1:

[21/Jul/2016:11:34:28 +0000] 99.125.125.201 "AB" "53096a9f-cef9-4047-83a5-07deda1d2939" "POST /call/service HTTP/1.1" 200 211 0.001

Regex:

rex "(?<IP>[^ ]+) \"(?<PartnerId>\\w+)\" \"(?<correlationId>[^\"]+)\"\ \"(?<ServiceCall>.*?)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>.*)"

Log 2:

[21/Jul/2016:11:35:43 +0000] 99.125.95.251 "03483b34-1cc2-42d7-b612-db545efab897" "POST /call/service HTTP/1.1" 200 10448 0.002

Regex:

rex "(?<IP>[^ ]+) \"(?<correlationId>[^\"]+)\"\ \"(?<ServiceCall>.*?)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>.*)"

Question:
What will be the Regex that covers both cases?

Thanks,
Lp

Tags (2)
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

What about this?

| rex "^\[\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} [\-\+]\d{4}\] (?<IP>[^ ]+) (\"(?<PartnerId>\w+)\" )?\"(?<correlationId>[^\"]+)\" \"(?<ServiceCall>[^\"]+)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>[\d\.]+)$"

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This works with your sample data on regex101.com.

rex "(?<IP>[^ ]+) (:\"(?<PartnerId>\w+)\" )?\"(?<correlationId>[^\"]+)\"\ \"(?<ServiceCall>.*?)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>.*)"
---
If this reply helps you, Karma would be appreciated.

lpolo
Motivator

It does not work. Thanks,

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It works in regex101.com. Be sure to escape the '"' characters in your rex command.

---
If this reply helps you, Karma would be appreciated.
0 Karma

javiergn
SplunkTrust
SplunkTrust

What about this?

| rex "^\[\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} [\-\+]\d{4}\] (?<IP>[^ ]+) (\"(?<PartnerId>\w+)\" )?\"(?<correlationId>[^\"]+)\" \"(?<ServiceCall>[^\"]+)\" (?<HTTP_Code>[\d]+) (?<HTTP_PayLoad>[\d]+) (?<Duration>[\d\.]+)$"

lpolo
Motivator

It does work.
Thanks,
Lp

0 Karma

javiergn
SplunkTrust
SplunkTrust

No worries. If you are happy with the answer can you mark it as such so that others can benefit from it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...