https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528285#M89074 <P>Yes&nbsp;<SPAN>&nbsp;gcusello , exactly it is working in Splunk as well.&nbsp;</SPAN></P><P><SPAN>Moto behind creating this filed extraction is there are some numeric values also being captured along with&nbsp;ip address.&nbsp; And i wanted to exclude those numeric values here. any suggestion would be highly appreciated here</SPAN></P> Fri, 06 Nov 2020 07:31:25 GMT pavanbmishra 2020-11-06T07:31:25Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528184#M89050 <P>Hi All,</P><P>While analyzing the firewall logs, i could see src_ip (src) field taking some numeric number also alognwith actual ip address, sharing the below sample log where it is grabing src is 5864897 the numric one just after PASS.&nbsp;</P><P>Nov 5 17:37:57 abcxyz.com fwlogs:[27999] match PASS 5864897/5893553 IN 60 TCP 10.10.10.10/4655-&gt;10.20.20.20/443 S</P><P>I extracted field as below for src, still it is not getting parsed and taking numeric value. Kindly help</P><P>(TCP|FIN|RST|TIMEOUT)\s(?&lt;srcip&gt;\d+\.\d+\.\d+\.\d+)/</P> Thu, 05 Nov 2020 17:43:29 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528184#M89050 pavanbmishra 2020-11-05T17:43:29Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528192#M89053 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>the problem is the final slash "/" that must be escaped:</P><LI-CODE lang="markup">| rex "(TCP|FIN|RST|TIMEOUT)\s(?&lt;srcip&gt;\d+\.\d+\.\d+\.\d+)\/"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/YTmopO/1" target="_blank">https://regex101.com/r/YTmopO/1</A></P><P>Ciao.</P><P>Giuseppe</P> Thu, 05 Nov 2020 17:58:21 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528192#M89053 gcusello 2020-11-05T17:58:21Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528193#M89054 <P>Thanks&nbsp;<SPAN>gcusello,</SPAN></P><P><SPAN>I try this also, still no luck. same issue</SPAN></P> Thu, 05 Nov 2020 18:08:29 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528193#M89054 pavanbmishra 2020-11-05T18:08:29Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528276#M89070 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>probably your logs are different than the one you shared because the regex is correct:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ppp.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11671i06574BA2A80C8FBD/image-size/medium?v=v2&amp;px=400" role="button" title="ppp.png" alt="ppp.png" /></span></P><P>Could you share other samples?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 06 Nov 2020 07:04:11 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528276#M89070 gcusello 2020-11-06T07:04:11Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528280#M89071 <P>Yeah it is, by the way many thanks for being helping hand</P><P>Even i try this and it is working on regex101 but not working under extracted field, here is the below sample log</P><P>Nov 6 07:13:43 xyz.com dflogs:[13223] match PASS 5864435/5893003 IN 52 TCP 10.10.10.10/62203-&gt;10.20.20.20/443 SEW</P><P>Also wanted to highlight that src and src_ip field ia already there and i am overwritting the regex using field extraction, would that work? or is there anything else i need to look into here.</P> Fri, 06 Nov 2020 07:19:49 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528280#M89071 pavanbmishra 2020-11-06T07:19:49Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528284#M89073 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>I don't understand why you want to overwrite the srcip value, anyway, the regex is correct and runs also in Splunk not only in regex101</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gcusello_0-1604647482264.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11672i5F306F08CC51AB32/image-size/medium?v=v2&amp;px=400" role="button" title="gcusello_0-1604647482264.png" alt="gcusello_0-1604647482264.png" /></span></P><P>As i said probably there's something different in your logs.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 06 Nov 2020 07:25:26 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528284#M89073 gcusello 2020-11-06T07:25:26Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528285#M89074 <P>Yes&nbsp;<SPAN>&nbsp;gcusello , exactly it is working in Splunk as well.&nbsp;</SPAN></P><P><SPAN>Moto behind creating this filed extraction is there are some numeric values also being captured along with&nbsp;ip address.&nbsp; And i wanted to exclude those numeric values here. any suggestion would be highly appreciated here</SPAN></P> Fri, 06 Nov 2020 07:31:25 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528285#M89074 pavanbmishra 2020-11-06T07:31:25Z https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528291#M89075 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196109">@pavanbmishra</a>,</P><P>could you explay better this new situation?</P><P>what do you mean with "<SPAN>there are some numeric values also being captured along with&nbsp;ip address"?</SPAN></P><P><SPAN>if you use my above regex you can only take values in IP4 format.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Fri, 06 Nov 2020 08:17:31 GMT https://community.splunk.com/t5/Getting-Data-In/srcip-having-numeric-number/m-p/528291#M89075 gcusello 2020-11-06T08:17:31Z