Splunk Search

negative regex in search command

AdrienW
Explorer

Dear,

I have some issue with a regular expression in a search command.
I have in a log a field called "src" with some IP in value of this field.
I succeeded to match the IP wich begin with 192 with this command :

rex .*nosrc=(?192\.\d+\.\d+\.\d+).*

Now I would like to match all the IP that DOES NOT begin with 192. How do I can do?

Is the "^" character recognised by Splunk?

Regards,

Tags (1)
0 Karma
1 Solution

Ayn
Legend

Sure. I would use eval for this. The process would be to first extract the field containing the IP address, then use eval for determining whether the IP address is internal or external and write the result to a field, and finally feed this into timechart.

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval conntype=if(match(src_ip,"^192"),"Outbound","Inbound") | timechart span=1d count by conntype

You could also build this into timechart directly:

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | timechart span=1d count(eval(match(src_ip,"^192"))) AS Outbound, count(eval(match(src_ip,"^19[^2]"))) AS Inbound

NOTE: I didn't cover the case of purely internal traffic, but that's just a matter of extracting both the source and destination IP and adding the case where they both are considered to be internal. Also NOTE that you shouldn't just be testing whether the address begins with 192, lots of public Internet addresses begin with 192 as well. You should be checking for 192.168.

View solution in original post

Ayn
Legend

Sure. I would use eval for this. The process would be to first extract the field containing the IP address, then use eval for determining whether the IP address is internal or external and write the result to a field, and finally feed this into timechart.

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval conntype=if(match(src_ip,"^192"),"Outbound","Inbound") | timechart span=1d count by conntype

You could also build this into timechart directly:

... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | timechart span=1d count(eval(match(src_ip,"^192"))) AS Outbound, count(eval(match(src_ip,"^19[^2]"))) AS Inbound

NOTE: I didn't cover the case of purely internal traffic, but that's just a matter of extracting both the source and destination IP and adding the case where they both are considered to be internal. Also NOTE that you shouldn't just be testing whether the address begins with 192, lots of public Internet addresses begin with 192 as well. You should be checking for 192.168.

AdrienW
Explorer

You're right, I'll check for the 192.168.

Thanks !

0 Karma

AdrienW
Explorer

Thanks for your edit.

My last question is about the way to encapsulate all the reg to build this graph :

alt text

I have to match all the IP begining with 192 (dark green), all the IP without 192 (light green) and build a graph like this.
But I think I can't with the "search NO ip=192.*" command because it filter at the end no?

I would like if it's possible to do the 2 commands like :

command01(only 192) AS inbound command02(only without 192) AS outbound | timechart ......

Is it possible?

0 Karma

Ayn
Legend

It seems some of your text got lost in the formatting. I'm assuming your search looks something like:

... | rex ".*nosrc=(?<somefieldname>192\.\d+\.\d+\.\d+).*"

First of all, you don't need the leading and trailing .*. Splunk will match that automatically. Second, if all you need is a specific regex matching any IP numbers that do not begin with 192, this should work:

... | rex "nosrc=(?<somefieldname>19[^2]\.\d+\.\d+\.\d+)

That said, the approach is kind of weird and it might be better to just match all IP's in general and instead apply this kind of filtering separately once the field has been extracted. My suggestion would be to do something like

... | rex "nosrc=(?<somefieldname>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) | search NOT somefieldname="192.*"
0 Karma

Drainy
Champion

Hah, I didn't even look at your final rex suggestion!

0 Karma

Ayn
Legend

Oops! My regex was wrong. Editing my answer.

0 Karma

Drainy
Champion

Because the regex is looking for anything that starts with a 19 but not 192. What I would do is probably rex all IP's and then use a pipe to where to filter out the 192 addresses

0 Karma

AdrienW
Explorer

Here is the return when I match all the IP of the field src on my index with the command :

stats count(src) by src

alt text

When I use this command I got only 2 values returned :

rex "src=(?<ip>\d{3}\.\d{3}\.\d{3}\.\d{3})" | search NOT ip="192.*" | stats count(ip) by ip

wich are : 109.202.232.150 // 169.254.144.215

0 Karma

AdrienW
Explorer

I tried with your first answer :

index="index" sourcetype="my_sourcetype" | rex "src=(?<ip>19[^2]\.\d+\.\d+\.\d+)" | stats count(ip) by ip

That doesn't match anything, but

rex "src=(?<ip>192\.\d+\.\d+\.\d+)" 

return 192.XXX values.

Do you know why?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...