Solved: negative regex in search command

AdrienW · ‎01-23-2012

Dear,

I have some issue with a regular expression in a search command.
I have in a log a field called "src" with some IP in value of this field.
I succeeded to match the IP wich begin with 192 with this command :

rex .*nosrc=(?192\.\d+\.\d+\.\d+).*

Now I would like to match all the IP that DOES NOT begin with 192. How do I can do?

Is the "^" character recognised by Splunk?

Regards,

Ayn · ‎01-23-2012

Sure. I would use eval for this. The process would be to first extract the field containing the IP address, then use eval for determining whether the IP address is internal or external and write the result to a field, and finally feed this into timechart.

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval conntype=if(match(src_ip,"^192"),"Outbound","Inbound") | timechart span=1d count by conntype

You could also build this into timechart directly:

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | timechart span=1d count(eval(match(src_ip,"^192"))) AS Outbound, count(eval(match(src_ip,"^19[^2]"))) AS Inbound

NOTE: I didn't cover the case of purely internal traffic, but that's just a matter of extracting both the source and destination IP and adding the case where they both are considered to be internal. Also NOTE that you shouldn't just be testing whether the address begins with 192, lots of public Internet addresses begin with 192 as well. You should be checking for 192.168.

View solution in original post

Ayn · ‎01-23-2012

Sure. I would use eval for this. The process would be to first extract the field containing the IP address, then use eval for determining whether the IP address is internal or external and write the result to a field, and finally feed this into timechart.

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval conntype=if(match(src_ip,"^192"),"Outbound","Inbound") | timechart span=1d count by conntype

You could also build this into timechart directly:

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | timechart span=1d count(eval(match(src_ip,"^192"))) AS Outbound, count(eval(match(src_ip,"^19[^2]"))) AS Inbound

NOTE: I didn't cover the case of purely internal traffic, but that's just a matter of extracting both the source and destination IP and adding the case where they both are considered to be internal. Also NOTE that you shouldn't just be testing whether the address begins with 192, lots of public Internet addresses begin with 192 as well. You should be checking for 192.168.

AdrienW · ‎01-23-2012

You're right, I'll check for the 192.168.

Thanks !

AdrienW · ‎01-23-2012

Thanks for your edit.

My last question is about the way to encapsulate all the reg to build this graph :

I have to match all the IP begining with 192 (dark green), all the IP without 192 (light green) and build a graph like this.
But I think I can't with the "search NO ip=192.*" command because it filter at the end no?

I would like if it's possible to do the 2 commands like :

command01(only 192) AS inbound command02(only without 192) AS outbound | timechart ......

Is it possible?

Ayn · ‎01-23-2012

It seems some of your text got lost in the formatting. I'm assuming your search looks something like:

... | rex ".*nosrc=(?<somefieldname>192\.\d+\.\d+\.\d+).*"

First of all, you don't need the leading and trailing .*. Splunk will match that automatically. Second, if all you need is a specific regex matching any IP numbers that do not begin with 192, this should work:

... | rex "nosrc=(?<somefieldname>19[^2]\.\d+\.\d+\.\d+)

That said, the approach is kind of weird and it might be better to just match all IP's in general and instead apply this kind of filtering separately once the field has been extracted. My suggestion would be to do something like

... | rex "nosrc=(?<somefieldname>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) | search NOT somefieldname="192.*"

Drainy · ‎01-23-2012

Hah, I didn't even look at your final rex suggestion!

Ayn · ‎01-23-2012

Oops! My regex was wrong. Editing my answer.

Drainy · ‎01-23-2012

Because the regex is looking for anything that starts with a 19 but not 192. What I would do is probably rex all IP's and then use a pipe to where to filter out the 192 addresses

AdrienW · ‎01-23-2012

Here is the return when I match all the IP of the field src on my index with the command :

stats count(src) by src

When I use this command I got only 2 values returned :

rex "src=(?<ip>\d{3}\.\d{3}\.\d{3}\.\d{3})" | search NOT ip="192.*" | stats count(ip) by ip

wich are : 109.202.232.150 // 169.254.144.215

AdrienW · ‎01-23-2012

I tried with your first answer :

index="index" sourcetype="my_sourcetype" | rex "src=(?<ip>19[^2]\.\d+\.\d+\.\d+)" | stats count(ip) by ip

That doesn't match anything, but

rex "src=(?<ip>192\.\d+\.\d+\.\d+)"

return 192.XXX values.

Do you know why?

negative regex in search command

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life