regex difficulty with host / path discrimination

tyronetv · ‎05-01-2014

I have a log file that has the host as either an IP address OR a FQDN. This is easy, right. Nope. The format can be:

192.168.1.1/inbox/to/file

or

192 .168.1.1inbox/to/another-file

or

host.com/inbox/to/file

or

host.cominbox/to/another-file

I can regex the ip easy enough \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

so that handles the first two . .

For the third one, I can do a greedy up to / [^/]+

problem is the last one, actually...

The perfect solution would be one regex for the extract regardless. Written out it would be:

everything up to either / or the word 'inbox'

That way, I can do the extract as :

(?<HOST>(provided regex))

Thanks!

The full entry is gathered by:

^\d{4}.\d{2}.\d{2}\s\d{2}:\d{2}\s(?<Transmissionformat>\w)\s(<Fileone>[^-]+)\s(?<DIRECTION>\S{3})\s(?<HOST>???????)(?<Filetwo>[^$]+)$

I need the ???? part replaced with a regex that will do as described above.

2014.04.28 14:10 B n:\path\one\to\fileone <-- 172.21.1.2Inbox/path/filetwo

somesoni2 · ‎05-01-2014

This works with your sample data.

|stats count |fields - count | eval host="192.168.1.1/inbox/to/file,192 .168.1.1inbox/to/another-file,host.com/inbox/to/file,host.cominbox/to/another-file" | eval host=split(host,",") | mvexpand host | rex field=host "^(?<hostName>[^/]*)(/)*inbox"

somesoni2 · ‎05-01-2014

Tried this and worked fine.

tyronetv · ‎05-01-2014

(?<HOST>[^/(?<!Ii)]+)

That sort of works.. but concerned if the FQDN has an 'i' in it.

regex difficulty with host / path discrimination

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk