Below is the sample result i get after running a query.
Mar 2 19:38:25 myhost apache2: "123.12.13.14" - - [02/Mar/2017:19:38:25 +0000] "POST /here/is/my/url?p=12345a-12d-12e-12r-123456&t=1111ea-11c1-111e-111c-1111111-99999999 HTTP/1.1" http_status_code=500 http_response_bytes=291 http_referer="-" http_user_agent="Java1.6.0_75" http_response_time=6526 http_ttfb=6439
I need to extract that 9999999 ( after those 1111's) and list out in a separate field.I am finding difficult time to use rex in Splunk.Somebody please help me out here.
This will extract the last digits before the HTTP/1.1
and the field name will be Digits
... rex | (?<Digits>\d+)\sHTTP\/1\.1