Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex for http2 field in log

he204035
Explorer
‎01-27-2022 02:15 PM

In the following log entry as "_raw":

"OPTIONS /nnrf-nfm/v1 HTTP/2.0" 405 173 "-" "gmlc-http-client/2.0" "-"

 

I have successful rex for the "405" error field location and "173" error field location.

I would like to build a rex to identify the "gmlc-http-client" section of that log entry.  (That field can show several different client types between those quotes.)

My rex is as follows:

rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\""

This rex does not error, but the result comes back as null/blank.  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎01-27-2022 05:44 PM

Try these. One is greedier than the other.

| rex field=_raw "\"OPTIONS([^\"]*)?HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

| rex field=_raw "HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎01-28-2022 03:15 AM
rex field=_raw "HTTP\/2\.0\"\s\d{3}\s\d{3}\s\"\-\"\s\"(?<Error3>)\"\s\"\-\""

This rex does not error, but the result comes back as null/blank.  

The expression "(?<Error3>)" positively looks for zero-length match, hence zero-length Error3.  @johnhuang's suggestion of (?<Error3>[^\"]+) will fix this.  Overall, the above is too rigid.  Although httpd logs are highly standard, it is not safe to assume that a blank field ("-") will always be blank, for example.  Expressions like [^\"]+ are good lubricants for this purpose.

Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎01-27-2022 05:44 PM

Try these. One is greedier than the other.

| rex field=_raw "\"OPTIONS([^\"]*)?HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"

| rex field=_raw "HTTP\/\d\.\d\"\s\d+\s\d+\s[^\s]*\s\"(?<http_client>[^\"]*)"
Reply
Solved! Jump to solution

he204035
Explorer
‎01-28-2022 05:52 AM

The second suggestion did the trick.  Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...