I have my LTM logging all the Content-length entries for all incoming requests to splunk via the HSL. My problem is trying to get all the records where the Content-length is greater than 10k
I have tried these two, but they do not work:
Content-length:\s+\d{5} and Content-length:\s+[1-9]\d{4}
If it remove the \s+\d{5} or \s+[1-9]\d{4} I see plenty of logs with larger than 10k numbers. See sample below, the text inside <> are just to make them anonymous. You will see the content length is 364k, much larger than 10k. Thanks, Bill
Nov 13 15:14:25
The reason that there is a problem is because you are trying to match against a lower number instead of the number that is there. So to match against a number that is at least 5 digits in length but can be longer you can use the following regex:
\d{5}\d*
or just \d{5,}