2

I am using the following Splunk query to get all the response content and their corresponding response status code.

index=main env=nonprod sourcetype="*sample-service*" "response"

Sample response log from the above Splunk query looks like:

||INFO||||Response:{"requestId:"369018b6-0fd4-11ee-be56-0242ac120002","headers":{"Content-Type":["application/json"]},"url":"https://sample-service.abcCompany.com","statusCode":200,"method":"POST","timeTaken":98,"body":{"..":"..","...":"..."}}

I am trying to extract the statusCode as a field so that I can see the number of occurrences of each http statusCode from the service response.

Here is the regular expression I tried to extract statusCode: "statusCode":([\d]*)

I tried using above regular expression in the Splunk query: index=main env=nonprod sourcetype="*sample-service*" "response" | rex "statusCode":([\d]*)

But got Error in the search parser: Error in 'SearchParser': Missing a search command before '\'. Not sure how to implement this to extract the statusCode field so that I can visualize the number of occurrences of each statusCode.

My expected result sample is:

statusCode count
200 5000
404 4
schanjr
  • 23
  • 4

1 Answers1

3

Although your regular expression "statusCode":([\d]*) is correct to capture the statusCode, I think it would work if you put escape characters for " and specify a named group.

So, the regex would be: \"statusCode\":(?<statusCode>[\d]*)

So, the final Splunk query would look like:

index=main env=nonprod sourcetype="*sample-service*" "response" 
| rex "\"statusCode\":(?<statusCode>[\d]*)" 
| stats count by statusCode

Demo for regex match and named capture group: https://regex101.com/r/UWdib7/1

Vijaya Pandey
  • 4,252
  • 5
  • 32
  • 57