Hey guys, this is one for any regex grand masters.
I have a field (snort_dst) which contains addresses in both these formats:
1.2.3.4
5.6.7.8:910
where :910 denotes the port number.
I have the following search, which splits the address into snort_dst_ip and snort_dst_port fields:
| rex field=snort_dst "(?<snort_dst_ip>[^:]+):(?<snort_dst_port>\S+)"
This properly splits on the : but my values which are just IPs don't get matched, as they don't fit the :portnum regex.
What I need is something which will work in either situation, something like "if contains : do this, else do this", but my regex knowledge is still in its infancy.
Put the section with a colon and the port in a group that you'll declare is optional:
(...)?
Try this.
| rex field=snort_dst "(?<snort_dst_ip>[^:]+)(:(?<snort_dst_port>\S+))?"
Put the section with a colon and the port in a group that you'll declare is optional:
(...)?
Try this.
| rex field=snort_dst "(?<snort_dst_ip>[^:]+)(:(?<snort_dst_port>\S+))?"
Thanks sowings, thats exactly what I needed. I knew it would be simple!