I am trying to extract an IP address into a field, however the same information occurs on two different logs, with two different logging methods.
I am attempting to extract the field with just one RegEx statement, but I can't seem to get the "AND" or "OR" portion of RegEx to recognize both data sets.
This is what I have:
src\s-\s(?
I am attempting to extract the external IP address, from two different devices with 1 RegEx statement and put either 'hit' into the field "ext_ip".
here are the two message types:
DENIED - 10.10.10.10:8080 |
src - 10.10.10.10:8080
Does anyone know of a way to do this?
Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:
(DENIED|src)\s-\s(?<ip_here>\d+\.\d+\.\d+\.\d+)
Even you can solve the problem like this, you can give one same field with 2 diffrent extraction based on DENIED and src from splunk Web Gui.
Kamal Bisht
hey there i hope this would help you.
D?E?N?I?E?D?s?r?c?\s-\s(?<ext_ip>d+.d+.d+.d+):\d{4}
Note that your regex above would allow for many different prefixes before the IP and port, like:
DEDrc -
EIE -
Dc -
DD -
ENDs -
etc.
This worked perfectly!!! Thank you very much!
Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:
(DENIED|src)\s-\s(?<ip_here>\d+\.\d+\.\d+\.\d+)
Consider accepting the answer if it helped you; in this way, others know that a good solution was found.
It treats the backslash as an escape character. To get one to print within the body of the text, you'll have to use two together.
You could try the built in Splunk extraction, since they are 2 different logs and logging methods, just extract the field "src_ip" in each, do a search including both log types and you will get the extracted results from both automagically.
http://docs.splunk.com/Documentation/Splunk/4.3.2/User/InteractiveFieldExtractionExample
in the above RegEx statements, it keeps removing the backslash, so simply assume they are there in the RegEx statement above. 😃