Hi David

I've added quite a few URL based intelligence feeds which are typically a web page of IP's however, as my original post yes I'm stuck as I get parsing errors.

I've followed the instructions.
Here's the guide on how to add a webpage as a threat intel source for ES :
https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Downloadthreatfeed#Add_a_URL-based_threat_sourc...

I've tried the following to extract the fields.
(?^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})|(?\w+)|(?\d+)|(?\d+)|(?\w+)|(?\d+)|(?\w+\s+\S+)|(?[a-zA-Z&]\w+.*)?\

And listed the fields

I've tried using regular expressions to extract the fields, I've also tried to use a separator.
The download feed consists of 8 fields seperated by '|' symbol which start at line 155 in the web page.
The web page consists of html and each line consisting of the six fields has the following html
'

The fields are:
|||||||

Eight field is optional.

I've tested listing the fields in the notation as documented:
:$,.$
ip:$1,description:domain_blocklist

Checking the threat management log I see parsing failure.

What about this as a regex :

  (?<ip>^\d{1,3}.\d{1,3}\.\d{1,3}.\d{1,3})\|(?<name>\w+)\|(?<directoryPort>\d+)\|(?<routerPort>\d+)\|(?<flags>\w+)\|(?<uptime>\d+)\|(?<version>\w+\s+\S+)\|(?<description>[a-zA-Z&]\w.+)

Is it giving you anything ?

Hi David

I tried your suggestion above which I tried also originally still parsing errors.

I went back to my originally
regex: (?^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})|(?\w+)|(?\d+)|(?\d+)|(?\w+)|(?\d+)|(?\w+\s+\S+)|(?[a-zA-Z&]\w+.*)?\

and removed delimiter this time setting fields
to ip:$1, description:"DAN_TOR-$3-$4-$5"

This worked!

Is there any chance you could post the full configurations for this?