Solved: regex remove events from search

brdr · ‎05-02-2018

I'm reading in events from a lookup table and I'm trying to remove events using RegEx that meet criteria but can't get it to work. I want to remove any host that is an IP address.

lookup file:
host
x.x.x.x
hosta
x.x.x.x
hostb

| inputlookup mylookup

| regex host!="/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/"
| table host

With this I still get all events. thx.

xpac · ‎05-02-2018

Try this:

| inputlookup mylookup 
| regex host!="^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$"
| table host

You just had to remove the / at the start and end 🙂

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

TISKAR · ‎05-02-2018

Hello,

You can also use the regex OR match function:

match:

   , | inputlookup mylookup 
     | where !match(host,"(\d{1,3}\.){3}\d+")
     | table host

Regex:

 | inputlookup mylookup 
 | regex host!="^(\d{1,3}\.){3}\d{1,3}$"
 | table host

brdr · ‎05-02-2018

Thanks TISKAR, xpac for response!

xpac · ‎05-02-2018

Try this:

| inputlookup mylookup 
| regex host!="^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$"
| table host

You just had to remove the / at the start and end 🙂

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

regex remove events from search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!