Hello,
There is one event.
ex)Normal|2016-05-18 10:52:37|123|119.21.7.28|10460|tcp|52.1.2.157|68|allowed|72|12|External|71.100.3.17|17|ftp
I would like to extract multiple values in one field using regular expressions.
Example:
index=network | head 1| rex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Right now, only one of the field values is extracted.
Example: ip_addr = 119.21.7.28
I want:
ip_addr = 119.21.7.28
ip_addr = 52.1.2.157
ip_addr = 71.100.3.17
You'll probably want to add the optional parameter max_match=<int>
and set it to 0
for unlimited matches.
index=network | rex max_matches=0 "(?<ip_addr>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
Give that a whirl and report back if that's what you need!