Solved: Multivalue Regex capture

Derek · ‎06-23-2010

If I have an event with more than one IP addres in it, how can I write a regex that will capture all of the IP's?

Example: Website1 A.B.C.D POST /site/page.asmx - 80 - Z.Y.X.W UserAgentX 401 1 0

Thanks!

Lowell · ‎06-23-2010

Basically you can find ip interactivly using a search command:

| rex max_match=100 "\b(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"

Or you can setup an automatic field extraction in your props.conf and transforms.conf files.

props.conf:

[my_source_type]
REPORT-ips = all_the_ips

transforms.conf:

[all_the_ips]
REGEX = \b(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b
MV_ADD = True

Lowell · ‎06-23-2010

Basically you can find ip interactivly using a search command:

| rex max_match=100 "\b(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"

Or you can setup an automatic field extraction in your props.conf and transforms.conf files.

props.conf:

[my_source_type]
REPORT-ips = all_the_ips

transforms.conf:

[all_the_ips]
REGEX = \b(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b
MV_ADD = True

Multivalue Regex capture