Dear,
I have some issue with a regular expression in a search command.
I have in a log a field called "src" with some IP in value of this field.
I succeeded to match the IP wich begin with 192 with this command :
rex .*nosrc=(?192\.\d+\.\d+\.\d+).*
Now I would like to match all the IP that DOES NOT begin with 192. How do I can do?
Is the "^" character recognised by Splunk?
Regards,
Sure. I would use eval
for this. The process would be to first extract the field containing the IP address, then use eval
for determining whether the IP address is internal or external and write the result to a field, and finally feed this into timechart.
... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval conntype=if(match(src_ip,"^192"),"Outbound","Inbound") | timechart span=1d count by conntype
You could also build this into timechart directly:
... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | timechart span=1d count(eval(match(src_ip,"^192"))) AS Outbound, count(eval(match(src_ip,"^19[^2]"))) AS Inbound
NOTE: I didn't cover the case of purely internal traffic, but that's just a matter of extracting both the source and destination IP and adding the case where they both are considered to be internal. Also NOTE that you shouldn't just be testing whether the address begins with 192, lots of public Internet addresses begin with 192 as well. You should be checking for 192.168.
Sure. I would use eval
for this. The process would be to first extract the field containing the IP address, then use eval
for determining whether the IP address is internal or external and write the result to a field, and finally feed this into timechart.
... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval conntype=if(match(src_ip,"^192"),"Outbound","Inbound") | timechart span=1d count by conntype
You could also build this into timechart directly:
... | rex "src=(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | timechart span=1d count(eval(match(src_ip,"^192"))) AS Outbound, count(eval(match(src_ip,"^19[^2]"))) AS Inbound
NOTE: I didn't cover the case of purely internal traffic, but that's just a matter of extracting both the source and destination IP and adding the case where they both are considered to be internal. Also NOTE that you shouldn't just be testing whether the address begins with 192, lots of public Internet addresses begin with 192 as well. You should be checking for 192.168.
You're right, I'll check for the 192.168.
Thanks !
Thanks for your edit.
My last question is about the way to encapsulate all the reg to build this graph :
I have to match all the IP begining with 192 (dark green), all the IP without 192 (light green) and build a graph like this.
But I think I can't with the "search NO ip=192.*" command because it filter at the end no?
I would like if it's possible to do the 2 commands like :
command01(only 192) AS inbound command02(only without 192) AS outbound | timechart ......
Is it possible?
It seems some of your text got lost in the formatting. I'm assuming your search looks something like:
... | rex ".*nosrc=(?<somefieldname>192\.\d+\.\d+\.\d+).*"
First of all, you don't need the leading and trailing .*
. Splunk will match that automatically. Second, if all you need is a specific regex matching any IP numbers that do not begin with 192, this should work:
... | rex "nosrc=(?<somefieldname>19[^2]\.\d+\.\d+\.\d+)
That said, the approach is kind of weird and it might be better to just match all IP's in general and instead apply this kind of filtering separately once the field has been extracted. My suggestion would be to do something like
... | rex "nosrc=(?<somefieldname>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) | search NOT somefieldname="192.*"
Hah, I didn't even look at your final rex suggestion!
Oops! My regex was wrong. Editing my answer.
Because the regex is looking for anything that starts with a 19 but not 192. What I would do is probably rex all IP's and then use a pipe to where to filter out the 192 addresses
Here is the return when I match all the IP of the field src on my index with the command :
stats count(src) by src
When I use this command I got only 2 values returned :
rex "src=(?<ip>\d{3}\.\d{3}\.\d{3}\.\d{3})" | search NOT ip="192.*" | stats count(ip) by ip
wich are : 109.202.232.150 // 169.254.144.215
I tried with your first answer :
index="index" sourcetype="my_sourcetype" | rex "src=(?<ip>19[^2]\.\d+\.\d+\.\d+)" | stats count(ip) by ip
That doesn't match anything, but
rex "src=(?<ip>192\.\d+\.\d+\.\d+)"
return 192.XXX values.
Do you know why?