i have data as below :
Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https
and working rex below from regex 101 :
IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})
now when I tried the same with splunk. splunk is not able to extract the fields . my splunk query is below :
index=test sourcetype="test"
| rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})"
i even tried changing the variable name but no luck
Have you tried on _raw filed?
like
rex field=_raw "your_regex"
i did not try _raw earlier but when I did just now,it worked. but still, I am not clear why request-all-header is not working since I can see that this field is getting extracted properly without any rex.
No , it is still not working in Splunk with real event. i can see the events but the query is not doing anything the make result is something I tried in all ways and it works with make result but not with the query with original event.
| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno
Hi, can you try your original search?
| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno
Try putting the field name in single quotes in the rex command
single quote did not worked