field extraction regex

Question

THis might be a bit difficult, but i want to try anyways... I am trying to aggrgate source and destination IP addresses across a few different device types. For all device types the src and dest ip addresses are valid IPV4 but one type can show Ip addresses in two formats.

192.168.1.1
or HOSTNAME1_192.168.1.2

the field looks like this when i want to extract it

src=192.168.1.1
or 
src=HOSTNAME1_192.168.1.2

in the lea-loggrabber-splunk/local/transforms.conf the kv extraction looks like this in this

[src_ip]
SOURCE_KEY=src
REGEX=(.*)
FORMAT=src_ip::$1

which means that I am trying to aggregate IPs that may or may not match.

Two part question: Is there a way to write a regex that will grab only the IP part from the string (either following the = or _ if the ip starts with HOSTNAME1_192.168.1.2)?

would the best way be to define a new field value for just the IP and one for the hostname HOSTNAME1_192.168.1.2 ->(hostname::$1)_(ip::$2)

secondly would this be best approached by a seperate transforms stanza and props.conf entry (REPORT-ip-extact = ) for the sourcetype([opsec])?

Accepted Answer

1

Try the following

[extract_hostnum_ip]
SOURCE_KEY=src
REGEX=(?:HOSTNAME(?<hostnum>\d+)_)?(?<ip>\d+\.\d+\.\d+\.\d+)

link

answered 12 Jul '10, 16:13

Ledion Bitincka ♦
2.0k●4●7
accept rate: 33%

would that line be added to props or transforms? My guess is props.conf

(26 Jul '10, 17:41) EricPartington

field extraction regex

Follow this question

Splunk Resources

Related questions