i have the following jboss http log entry
00.00.00.253 11.11.111.111 [27/Sep/2011:00:45:31 -0700] GET /xyz/images/spacer.png HTTP/1.1 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB7.1; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET4.0C; .NET CLR 3.0.30729)' 200 153 0
rex ="[\d+\.]+\s(?P<source_ip>[\d+\.]+)\s\[\d+"
I already tried specifying sourcetype as access_combined. splunk does not want to recognize the format correctly. So i am forced to extract with regex.
this wont work right for some reason and i cant extract source_ip. I am going after the 2nd ip on the line. what am i doing wrong?
Try removing the '=' before your regex. The rex command syntax is:
rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)
hence
rex "[\d+\.]+\s(?P<source_ip>[\d+\.]+)\s\[\d+"
Thank you. That fixed it. 🙂
Try removing the '=' before your regex. The rex command syntax is:
rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)
hence
rex "[\d+\.]+\s(?P<source_ip>[\d+\.]+)\s\[\d+"