I'm monitoring DHCP logs and I'm trying to separate out known device types with the aim of looking for unknown devices
The logs look like this:
11,11/14/13,00:00:51,Renew,10.31.33.80,SEP001D4595B090.domain.network.net,001D4595B090,,1745420288,0,,,
11,11/14/13,00:00:26,Renew,10.158.17.26,SEP00070E57638D.domain.network.net,00070E57638D,,2453602304,0,,,
11,11/14/13,00:00:09,Renew,10.138.0.165,SEP00070E576801.domain.network.net,00070E576801,,777519104,0,,,
11,11/14/13,00:00:08,Renew,10.31.81.20,SEP00070E166D6A.domain.network.net,00070E166D6A,,3095134208,0,,,
11,11/13/13,23:59:30,Renew,10.60.20.165,PCName11236547.domain.network.net,001F29D30E99,,27259500,0,,,
11,11/13/13,23:55:39,Renew,10.50.8.68,Laptop1254657.domain.network.net,001E0B8DE6DC,,6225026,0,,,
I can regex out the device name using the interactive field extractor on the hostname field
(?i)^(?:[^,]*,){5}(?P
but that lists all the host names:
SEP001D4595B090
SEP00070E57638D
SEP00070E576801
SEP00070E166D6A
PCName11236547
Laptop1254657
What I want to do is to be able to separate them out to device type so
SEP001D4595B090, SEP00070E57638D, SEP00070E576801 and SEP00070E166D6A can be marked as phones
PCName11236547 can be marked as a PC
Laptop1254657 can be marked as a laptop
anything that does not match can be more easily identified and the groups can be processed differently.
Have tried adding references such as "SEP" into the regex expression, but it gets used as an anchor and excluded from the results
eg (?i)^(?:[^,]*,){5}SEP(?P
This identifies all the phones, but they get listed without SEP in the field value
001D4595B090
00070E57638D
00070E576801
00070E166D6A
How do I include the regex search parameters in the result?
Tweak your phone identifier like this:
(?i)^(?:[^,]*,){5}(?P<phonedevice>SEP[^.]+)
This pulls out those same field contents, but the entire contents of the field are now the value in the field. Do more of these for each device type like this:
(?i)^(?:[^,]*,){5}(?P<pcdevice>PC[^.]+)
(?i)^(?:[^,]*,){5}(?P<laptopdevice>Laptop[^.]+)
Another approach is to use a single named field for devicename (or some other field name) and then use eventtypes or tags to designate the various sub-device types. This would look like:
(?i)^(?:[^,]*,){5}(?P<devicename>[^.]+)
Then define an eventtype for each one like:
eventtype name: phonedevice
definition: devicename=SEP*
Repeat that for each type of sub-device, or do the similar thing with tags if you prefer that route.
Tweak your phone identifier like this:
(?i)^(?:[^,]*,){5}(?P<phonedevice>SEP[^.]+)
This pulls out those same field contents, but the entire contents of the field are now the value in the field. Do more of these for each device type like this:
(?i)^(?:[^,]*,){5}(?P<pcdevice>PC[^.]+)
(?i)^(?:[^,]*,){5}(?P<laptopdevice>Laptop[^.]+)
Another approach is to use a single named field for devicename (or some other field name) and then use eventtypes or tags to designate the various sub-device types. This would look like:
(?i)^(?:[^,]*,){5}(?P<devicename>[^.]+)
Then define an eventtype for each one like:
eventtype name: phonedevice
definition: devicename=SEP*
Repeat that for each type of sub-device, or do the similar thing with tags if you prefer that route.
Works a treat!! Thanks