Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract two fields as a single field in my search result.

ranjyotiprakash
Communicator
‎04-29-2012 10:26 PM

How can I extract two fields as a single field in my search result. The log format is as follows :

Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.732 -0700 barracuda WF ALER SQL_INJECTION_IN_URL 99.99.182.1 44727 99.99.83.74 80 security-policy GLOBAL DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 99.99.83.74/index.html// HTTP "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44727 "-" "-"

The two fields in bold letters are the application_ip and application_port fields respectively. And I want to extract the two fields together in my search results in the format of application_ip:application:port . How can this be done ?
Please help ...
Thanks...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎04-29-2012 11:07 PM

Here is an extraction that should work with the above sample event text.I don't know what all your events look like so I can only provide an example regex based on what you provided, therefore you may need to adjust the regex as necessary to work with a wider selection of event text formats.

... | rex field=_raw "^(?i).+barracuda\s\w+\s\w+\s\w+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{2,5}\s(?<ipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<port>\d{2,5})\s.+$" | eval ip_port=ipaddress+":"+port | table ip_port

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎04-29-2012 11:07 PM

Here is an extraction that should work with the above sample event text.I don't know what all your events look like so I can only provide an example regex based on what you provided, therefore you may need to adjust the regex as necessary to work with a wider selection of event text formats.

... | rex field=_raw "^(?i).+barracuda\s\w+\s\w+\s\w+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{2,5}\s(?<ipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<port>\d{2,5})\s.+$" | eval ip_port=ipaddress+":"+port | table ip_port
0 Karma
Reply
Solved! Jump to solution

ranjyotiprakash
Communicator
‎04-29-2012 11:09 PM

Thanks a lot Damien ... This works ...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...