Solved: Re: Why is the regular expression for rex in my se...

dbcase · ‎08-08-2016

Hi,

I have this data

fn.util.SingleDeviceDebugger - RCVD REST request from premise 101: GET /rest/icontrol/login HTTP/1.1 Host: betamax-portal1:8080 X-ClientInfo: 7.3.7.49 X-loginEncoded: false Accept: */* X-password: ******** X-AppKey: defaultKey X-allowNonActivatedLogin: true X-Device-Name: Corey's iPhone Cache-Control: no-cache Accept-Language: en-us Accept-Encoding: gzip, deflate X-login: coreyq User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G34 X-Device-Id: 64020C05-5038-4F4C-A39C-EE5FA4C27720 X-format: json Cookie: JSESSIONID=9wNqgG6jvrOAbC6QjgOlkhusReOT9xhNtSEPvKOrmke0utWnUuY6!-823929644 X-expires: 1800000 X-Device-Type: Device Via: 1.1 beta.icontrol.com X-Forwarded-For: 63.239.122.42 X-Forwarded-Host: beta.icontrol.com X-Forwarded-Server: beta.icontrol.com Connection: close expand: sites,instances,points,functions

and this regex User-Agent:\s(.+?)\s(?<status>)

Rex 101 shows that it matches, but when I use it in Splunk I get zero matches

earliest=-6h host="*beta*" index=wls sourcetype=wls_managedserver "X-login"|rex "User-Agent:\s(.+?)\s(?<status>)"

sundareshr · ‎08-08-2016

Try this

... | rex "User-Agent:\s(?<ua>[^\s]+)" | ...

View solution in original post

JDukeSplunk · ‎08-08-2016

Try this

|rex field=_raw "User-Agent: (?P<User_Agent>[^\(]+)"

dbcase · ‎08-08-2016

That worked! Many many thanks!!!! One other thing I'm trying to do is get the Chrome/51.0.2704.81 portion

com.ucontrol.rest.security.LoggingFilter - RCVD REST request: GET /rest/icontrol/login HTTP/1.1 Host: betamax-portal2:8080 Pragma: no-cache Cache-Control: no-cache X-AppKey: defaultKey X-allowNonActivatedLogin: true X-password: ******** X-format: json X-loginEncoded: false User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Robin Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile Safari/537.36 X-login: nvelie X-ClientInfo: 7.3.6.26 X-expires: 1800000 Accept: / Accept-Encoding: gzip, deflate Accept-Language: en-US Cookie: JSESSIONID=BXVqeOwp3DpPlNsks1mLjlMk6sNXPLMhvxVex2du6d84Tr6--3lF!-594369723 X-Requested-With: com.icontrol.converge.mobileapp Via: 1.1 beta.icontrol.com X-Forwarded-For: 24.227.215.211 X-Forwarded-Host: beta.icontrol.com X-Forwarded-Server: beta.icontrol.com Connection: close expand: sites,instances,points,functions

dbcase · ‎08-08-2016

and of course Chrome/51.0.2704.81 could be safari, another version of chrome, firefox, etc

sundareshr · ‎08-08-2016

Try this

... | rex "User-Agent:\s(?<ua>[^\s]+)" | ...

dbcase · ‎08-08-2016

Ah nevermind, I see what you are doing.... That works! Thanks!

sundareshr · ‎08-08-2016

What are you trying to capture for status? Did it work?

dbcase · ‎08-08-2016

Hmmmm still not matching

earliest=-6h host="beta" index=wls sourcetype=wls_managedserver "X-login"| rex "User-Agent:\s(?< ua >[^\s]+)(?< status >)"|timechart count by status (spaces have been removed in the real query)

This query gives the status field but only 1 value, NULL

dbcase · ‎08-08-2016

Oh, one more bit of info, I'm trying to extract the Mozilla/5.0 text just after User-Agent:

Why is the regular expression for rex in my search not extracting the field from my sample data?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...