I've got a regex that's working in Regex101's editor, but when I paste it into Splunk I get garbage or no results:
Regex:
^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)
Sample entries:
Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349
Oct 24 18:28:54 openvpn[21337]: 66.103.224.123:50873 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:50873
Hi
why you say that doesn't run on Splunk?
I tried this
index=_internal
|head 1
| eval ppp="Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349"
| rex field=ppp "^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)"
| table username IP
And I have
username IP
username 66.103.224.123
Bye.
Giuseppe
Hi
why you say that doesn't run on Splunk?
I tried this
index=_internal
|head 1
| eval ppp="Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349"
| rex field=ppp "^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)"
| table username IP
And I have
username IP
username 66.103.224.123
Bye.
Giuseppe
Thanks, I didn't know you could do this. It turns out I'm using an app that provides predefined sourcetypes. I ran out of oomph last night after rewriting the regex to grab the IP from the first IP and STILL getting the same results, so somewhere in one of my props.conf or transforms.conf is a bad regex. I'll have to track it down tonight.
For the record, this is syslogs from PFSense.
Forgot to add, Here's what Splunk captures for the IP:
Initiated with [AF_INET]66.103.224.123