THis might be a bit difficult, but i want to try anyways... I am trying to aggrgate source and destination IP addresses across a few different device types. For all device types the src and dest ip addresses are valid IPV4 but one type can show Ip addresses in two formats.
192.168.1.1
or HOSTNAME1_192.168.1.2
the field looks like this when i want to extract it
src=192.168.1.1
or
src=HOSTNAME1_192.168.1.2
in the lea-loggrabber-splunk/local/transforms.conf the kv extraction looks like this in this
[src_ip]
SOURCE_KEY=src
REGEX=(.*)
FORMAT=src_ip::$1
which means that I am trying to aggregate IPs that may or may not match.
Two part question: Is there a way to write a regex that will grab only the IP part from the string (either following the = or _ if the ip starts with HOSTNAME1_192.168.1.2)?
would the best way be to define a new field value for just the IP and one for the hostname HOSTNAME1_192.168.1.2 ->(hostname::$1)_(ip::$2)
secondly would this be best approached by a seperate transforms stanza and props.conf entry (REPORT-ip-extact = ) for the sourcetype([opsec])?
Try the following
[extract_hostnum_ip]
SOURCE_KEY=src
REGEX=(?:HOSTNAME(?<hostnum>\d+)_)?(?<ip>\d+\.\d+\.\d+\.\d+)
Try the following
[extract_hostnum_ip]
SOURCE_KEY=src
REGEX=(?:HOSTNAME(?<hostnum>\d+)_)?(?<ip>\d+\.\d+\.\d+\.\d+)
would that line be added to props or transforms? My guess is props.conf