Splunk Search

How to write a RegEx to extract the IP address in reverse order?

draracle
Engager

Currently I am extracting the URL and reverse IP address (D.C.B.A) from a DNS-related event. I would like to capture the IP address in the opposite order (A.B.C.D). I heard this may be possible with sed mode and or the use of backreferences but I haven't had any luck getting this to work. I have included a sample event and output below.

Please advise how to capture the reverse IP during field extraction. If this is not possible at the time of field extraction please advise how to output the desired result during a regular search (which could be used for a Dashboard).

Event:
Jan 1 00:00:00 locdet named[123456]: CEF:0|Infoblox|NIOS|7.3.6-335725|RPZ-IP|PASSTHRU|4|app=DNS dst=1.1.1.1 src=2.2.2.2 spt=12345 view=_default qtype=A msg="rpz IP PASSTHRU rewrite urlofinterest.com [A] via 32.D.C.B.A.rpz-ip.malware.rpz.infoblox.local"

RegEx:

^[^"\n]*"\w+\s+\w+\s+\w+\s+\w+\s+(?P<msg_domain>\w+\.\w+\s+\[\w+\])[^\.\n]*\.(?P<msg_revIP>\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)

Fields Currently Extracted:
msg_domain=urlofinterest.com
msg_revIP=D.C.B.A

Desired Field Extracted:
msg_domain=urlofinterest.com
msg_revIP=A.B.C.D

Thanks

Tags (2)
0 Karma
1 Solution

sundareshr
Legend

The following SED expression will reverse the IP order. It does not capture,. but it will replace it with the reverse order

... | rex mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

*UPDATED*

... | eval rev_IP=IP | rex field=rev_IP mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

View solution in original post

sundareshr
Legend

The following SED expression will reverse the IP order. It does not capture,. but it will replace it with the reverse order

... | rex mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

*UPDATED*

... | eval rev_IP=IP | rex field=rev_IP mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

ChrisBell04
Communicator

Slight tweak to that extraction (using Splunk_TA_infoblox v1.1.0 as the starting point). Will extract the rpz into a new field by itself.

index=infoblox sourcetype=infoblox:dns dns_rpz_policy_action="*" urlofinterest.com 
| eval rev_ip=dns_rpz_reponse_query
| rex field=rev_ip mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}).rpz/\5.\4.\3.\2/g"
0 Karma

draracle
Engager

I cannot get this to work. I am trying to extract the field. If there is a way to perform a search and change msg_revIP to a new field with this search please provide additional information. Thanks

0 Karma

sundareshr
Legend

So if I understand you right, you want two fields one with IP and other with rev_IP. Right? Try the updated search

0 Karma

draracle
Engager

Thanks, with a slight modification to the fields, this did the trick!

0 Karma

shivarpith
Path Finder

hey i have the same issue, can you share what worked for you 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...