Hi, my splunk logs are in the following format :
"POST /v2/endpoint HTTP/1.0" 200 91 "http://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" 0.029 "127.0.0.1" "some-id"
I need to extract the status (200 in this case) and the response time (0.029 in this case) in my splunk search ?
How can I achieve this, I tried using regex's but the same delimiting fails as the data also has spaces 😞
Any way I can get these ?
Hi adwaitkaley,
try with
\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)
or in command
| rex "\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)"
could you share some additional samples, probably there's some additional problem (see https://regex101.com/r/yYhGra/1)
Bye.
Giuseppe
Hi adwaitkaley,
try with
\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)
or in command
| rex "\"[^\"]*\"\s(?<status>\d+)([^\"]*\"){4}\s(?<response_time>[^ ]*)"
could you share some additional samples, probably there's some additional problem (see https://regex101.com/r/yYhGra/1)
Bye.
Giuseppe
Hi cusello,
Awesome ! This is exactly what I was looking for 🙂
I literally hate the way the logs are setup, key-value pairs make life a hell lot easier.
Is there a way we can tokenize the other elements in the logs too ?
That would help immensely.
Hi adwaitkaley,
in the same way
\"(?<field1>[^\"]*)"\s(?<status>\d+)\s(?<substatus>\d+)\s\"(?<url>[^\"]*)\"\s\"(?<client>[^\"]*)\"\s(?<response_time>[^ ]*)\s\"(?<IP>[^\"]*)\"\s\"(?<field2>[^\"]*)\"
see https://regex101.com/r/yYhGra/2
If this answer satisfies your need, please accept it.
Bye.
Giuseppe