Splunk Search

RegEx AND / OR?

tmarlette
Motivator

I am trying to extract an IP address into a field, however the same information occurs on two different logs, with two different logging methods.

I am attempting to extract the field with just one RegEx statement, but I can't seem to get the "AND" or "OR" portion of RegEx to recognize both data sets.

This is what I have:
src\s-\s(?\d+.\d+.\d+.\d+) OR DENIED\s-\s(?\d+.\d+.\d+.\d+)

I am attempting to extract the external IP address, from two different devices with 1 RegEx statement and put either 'hit' into the field "ext_ip".

here are the two message types:
DENIED - 10.10.10.10:8080 |
src - 10.10.10.10:8080

Does anyone know of a way to do this?

Tags (3)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:

(DENIED|src)\s-\s(?<ip_here>\d+\.\d+\.\d+\.\d+)

View solution in original post

kml_uvce
Builder

Even you can solve the problem like this, you can give one same field with 2 diffrent extraction based on DENIED and src from splunk Web Gui.

Kamal Bisht

0 Karma

eashwar
Communicator

hey there i hope this would help you.


D?E?N?I?E?D?s?r?c?\s-\s(?<ext_ip>d+.d+.d+.d+):\d{4}

0 Karma

sowings
Splunk Employee
Splunk Employee

Note that your regex above would allow for many different prefixes before the IP and port, like:

DEDrc -
EIE -
Dc -
DD -
ENDs -

etc.

0 Karma

tmarlette
Motivator

This worked perfectly!!! Thank you very much!

0 Karma

sowings
Splunk Employee
Splunk Employee

Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:

(DENIED|src)\s-\s(?<ip_here>\d+\.\d+\.\d+\.\d+)

sowings
Splunk Employee
Splunk Employee

Consider accepting the answer if it helped you; in this way, others know that a good solution was found.

0 Karma

sowings
Splunk Employee
Splunk Employee

It treats the backslash as an escape character. To get one to print within the body of the text, you'll have to use two together.

0 Karma

axinjakson
Explorer

You could try the built in Splunk extraction, since they are 2 different logs and logging methods, just extract the field "src_ip" in each, do a search including both log types and you will get the extracted results from both automagically.

http://docs.splunk.com/Documentation/Splunk/4.3.2/User/InteractiveFieldExtractionExample

0 Karma

tmarlette
Motivator

in the above RegEx statements, it keeps removing the backslash, so simply assume they are there in the RegEx statement above. 😃

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...