Solved: How do I edit my regex to extract this field from ...

athorat · ‎02-17-2016

Want to extract only /ubi-v2/api/scoresummary from the below mentioned event in a field.
Rex used:

`| rex "(?<remote_addr>[^\s]*) -(| ) (| )- \[(?<time_local>[^\]]*)\] \"(?<request>[^\"]*)\" (?<status>[^\s]*) (?<body_bytes_sent>[^\s]*)"

Event:

172.26.129.10 - - [16/Feb/2016:23:59:55 -0700] "GET /ubi-v1/api/ubidevicestatus?vin=1N4AL3AP3DC114528 HTTP/1.1" 500 1696

Don't need the entire "GET" Request,Tried using (GET[^\?]*) but that does not get any results
Thanks for looking into this.

somesoni2 · ‎02-17-2016

Try like this (run anywhere sample, first two lines are only to generate data, replace that with your base search)

| gentimes start=-1 | eval _raw="172.26.129.10 - - [16/Feb/2016:23:59:55 -0700] \"GET /ubi-v1/api/ubidevicestatus?vin=1N4AL3AP3DC114528  HTTP/1.1\" 500 1696" | table _raw
| rex "(?<remote_addr>[^\s]*)\s+\S+\s+\S+\s+\[(?<time_local>[^\]]*)\] \"(?<method>\S+)\s+(?<request>[^?\"\s]*).*\" (?<status>[^\s]*) (?<body_bytes_sent>[^\s]*)"

View solution in original post

somesoni2 · ‎02-17-2016

Try like this (run anywhere sample, first two lines are only to generate data, replace that with your base search)

| gentimes start=-1 | eval _raw="172.26.129.10 - - [16/Feb/2016:23:59:55 -0700] \"GET /ubi-v1/api/ubidevicestatus?vin=1N4AL3AP3DC114528  HTTP/1.1\" 500 1696" | table _raw
| rex "(?<remote_addr>[^\s]*)\s+\S+\s+\S+\s+\[(?<time_local>[^\]]*)\] \"(?<method>\S+)\s+(?<request>[^?\"\s]*).*\" (?<status>[^\s]*) (?<body_bytes_sent>[^\s]*)"

How do I edit my regex to extract this field from my sample event?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio