- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my regular expression to extract a fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to create a field extraction based on data: Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue where the field=host: and value is www.ditto.dut.com ... the other info isn't needed.
When I use www.regex101.com to create the expression, I come up with ... Host:\s(?<host:>\S+)\\r
But when I try it in Splunk | rex field=_raw "Host:\s(?<http_request_host2>\S+)\\r" ... it doesn't work until I remove the \\r at which time the result shows www.ditto.dut.com\r\nIf-Modified-Since: Tue
I would like a result that ends at the \r\n and doesn't include it.
I don't know why I'm having so much trouble with the \r\n, but any help would be appreciated.
I have read through the forums and other web search without a solution.
added 12/20/2016 -
I am receiving data from F5-ASM (key-value-pairs) which seems to put a \r\n between each key-value pairing.
Thank You,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your base search | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you provide some same values where it didn't work. The above works if used with the sample you provided in question. (see this runanywhere sample search)
| gentimes start=-1 | eval _raw="Host: www.ditto.dut.com\r\nIf-Modified-Since: Tue" | table _raw | rex "Host:\s(?<http_request_host2>[^\\\\]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the comment but didn't work.
add update: 20161220
You are correct, | rex field=_raw "Host:\s(?<http_request_host3>[^\\\\]+)" is working!!
Thank you for being persistent and suggesting I double check. I appreciate it.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
