All,
When I search and use rex I get the ports from the Apache logs as expected. Getting all ports 80 and 443 and 8080.
index=web 443 | rex field=_raw "^\d+.\d+.\d+.\d+ - (?\d+) ["
How ever, when I place the same extraction in props.conf it only gets port 80
[apache:access]
EXTRACT-port = ^\d+.\d+.\d+.\d+ - (?\d+) [
Any idea where my mistake is?
Try:
EXTRACT-port = ^\d+\.\d+\.\d+\.\d+ - (?P<port>\d+) \[
The field is relative to the sourcetype you specify. Try explicitly including the sourcetype you defined in your props.conf
in your search and see if you get the same results
Your regexes look wrong to me.
Remember a period matches ANYTHING. If you mean only a .
character, then you need to escape it.
so, for instance, matching this regex up with the IP that follows it...
^\d+.\d+.\d+.\d
123.123.33.12
...means that the first \d+ matches the 1
, the .
matches the 2
, the second \d+
matches the 3
, the second .
matches the first .
, and so on.
Escape all those periods and try your test again.
@daniel333, Can you post your code with code button 101010 on Splunk Answers so that special characters do not escape?
Also can you add few mocked up sample events with different port numbers?
Ideally if rex is working in search, then same regular expression should also fetch when saved as Field Extraction (?<port>\d+)
.
Can you try Interactive Field Extraction in Splunk with your regular expression and see if you have Non Matches, or maybe let Splunk generate the regular expression, by adding non-matches.