Solved: weird ip address with leading zeros

tuneit · ‎06-10-2014

Hi all,

I have a log file which has weird ip addresses as followings. There are leading zeros.

2014.06.10 13:14:56 src=011.009.120.010  dst=210.097.011.009 action=...
2014.06.10 13:14:57 src=010.123.090.003  dst=211.094.000.007 action=...
...

What would be the best way to eliminate the leading zeros?

Thank you.

Ayn · ‎06-10-2014

Do you want to eliminate them in the actual indexed data or are you fine with removing the leading zeroes when you extract this to a field?

In the former case, you could use SEDCMD in props.conf:.

[yoursourcetype]
SEDCMD = s/(src=|dst=)0*([^.]+\.)0*([^.]+\.)0*([^.]+\.)0*(\d+)/\1\2\3\4\5/g

In the latter, using rex inline in your search will do what you want:

... | rex field=youripfield mode=sed "s/\.0+/./g"

Ayn · ‎06-10-2014

Do you want to eliminate them in the actual indexed data or are you fine with removing the leading zeroes when you extract this to a field?

In the former case, you could use SEDCMD in props.conf:.

[yoursourcetype]
SEDCMD = s/(src=|dst=)0*([^.]+\.)0*([^.]+\.)0*([^.]+\.)0*(\d+)/\1\2\3\4\5/g

In the latter, using rex inline in your search will do what you want:

... | rex field=youripfield mode=sed "s/\.0+/./g"

tuneit · ‎06-12-2014

Thank you Ayn.

weird ip address with leading zeros