topic Regex field extraction question in Splunk Search

Regex field extraction question

MAMAOUI — Wed, 15 Nov 2017 09:19:51 GMT

I have this log format for extracting

Sep 01 09:55:11 @ipdest HSL: @ip1:port1 <-> @ip2:port2 | @ip3:port3 <-> @ip4:port4

REGEX = (?\S+\s+\d+ \d+:\d+:\d+) (?\d+.\d+.\d+.\d+)[^[]HSL: (?<@ip1>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip2>\d+.\d+.\d+.\d+):(?\S+) | (?<@ip3>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip4>\d+.\d+.\d+.\d+):(?\S+)

I would like to extract everything , but in my results, all fields were exctracted except whose after pipe | (@ip3:port3 <-> @ip4:port4).
Any help much appreciated.
Thankyou.

Re: Regex field extraction question

micahkemp — Wed, 15 Nov 2017 13:02:25 GMT

The | character acts as an OR in regex. If you would like to match a literal | escape it: \|.

REGEX = (?\S+\s+\d+ \d+:\d+:\d+) (?\d+.\d+.\d+.\d+)[^[]HSL: (?<@ip1>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip2>\d+.\d+.\d+.\d+):(?\S+) \| (?<@ip3>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip4>\d+.\d+.\d+.\d+):(?\S+)

Re: Regex field extraction question

cpetterborg — Wed, 15 Nov 2017 13:14:26 GMT

You also better escape the periods in your IP addresses - \.. A period will match almost any character of not escaped. Depending on your data, that could be a problem, but likely in this case it won't. But it will parse more quickly if you escape them, which is a side benefit.

Re: Regex field extraction question

MAMAOUI — Wed, 15 Nov 2017 14:03:34 GMT

Hello ,

Thank you, It works now,I added the \ before the |.

Meryem