Solved: Re: How to write the regex for multivalue field ex...

rubeniturrieta · ‎07-23-2015

Hi to everyone:

I have a single event with 15,394 lines, and i can't write a regular expression for a field extraction (a list of ip addresses), like it can be seen in the attachment.

I have this:

//// a lot of lines
servidores
{
and
{
or
{
ip
{
ip1
ip2
ip3
}
}
}
/// another lot of lines

And I need this:

field: ip
values: ip1, ip2 and ip3

How can I write this regular expression?

Any help, i'll be very grateful.

Regards

somesoni2 · ‎07-23-2015

Try something like this

Updated*

- props.conf
[YourSourcetype]
...other configurations...
EXTRACT-servidoresip = servidores([\r\n])\{([\r\n])and([\r\n])\{([\r\n])or([\r\n])\{\s*ip\s*\{(?<IP>[^\}]+)
REPORT-extract_ipaddresses = extract_ipaddresses


- transforms.conf
    [extract_ipaddresses]
SOURCE_KEY = IP
REGEX = (\d+\.\d+\.\d+\.\d)
FORMAT = ip::$1
MV_ADD = true

Sample test data used:

servidores1
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}
servidores
{
and
{
or
{
ip
{
 10.10.10.10
 11.11.11.11
 12.12.12.12
}
}
}
servidores2
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}

View solution in original post

somesoni2 · ‎07-23-2015

Try something like this

Updated*

- props.conf
[YourSourcetype]
...other configurations...
EXTRACT-servidoresip = servidores([\r\n])\{([\r\n])and([\r\n])\{([\r\n])or([\r\n])\{\s*ip\s*\{(?<IP>[^\}]+)
REPORT-extract_ipaddresses = extract_ipaddresses


- transforms.conf
    [extract_ipaddresses]
SOURCE_KEY = IP
REGEX = (\d+\.\d+\.\d+\.\d)
FORMAT = ip::$1
MV_ADD = true

Sample test data used:

servidores1
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}
servidores
{
and
{
or
{
ip
{
 10.10.10.10
 11.11.11.11
 12.12.12.12
}
}
}
servidores2
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}

rubeniturrieta · ‎07-23-2015

Thank you very much someoni2, but I have several lists of IP addresses that correspond to different fields in the same event. How would it be then?

somesoni2 · ‎07-23-2015

So do you have any prefix or pattern before/after the list of IP you want to extract?

rubeniturrieta · ‎07-23-2015

Yes, in the example, the word "servidores" is identifier for the field, and the regular pattern is

"
and
{
or
{
ip
{
"

somesoni2 · ‎07-23-2015

See if the updated answer works for you. I'm extracting a temp field to get section servicedores and then getting a mv field with IP addresses present in it.

rubeniturrieta · ‎07-23-2015

Wow, thanks you somesoni2, but it doesn't works yet for me, but i think you are very close. Maybe something about space characters?

    servidores
    {
        and
        {
            or
            {
                ip
                {
                    168.88.13.6
                    168.88.11.164
                    168.88.13.29
                    168.88.13.39
                    168.88.13.60
                    168.88.13.150
                    168.88.13.115

rubeniturrieta · ‎07-23-2015

Yes, it was the space character. Thanks you very much somesoni2.

How to write the regex for multivalue field extraction (a list of IP addresses) for a very large event?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification