https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405229#M117141 <P>Stuck on regex question for Ad FS logs. I am trying to extract all ips following a field ("Client IP: ") in a AD FS log.<BR /> My log looks like this (truncated to save space):</P> <PRE><CODE>10/02/2018 09:22:50 AM LogName=Security SourceName=AD FS Auditing EventCode=411 EventType=0 Type=Information ComputerName=* User=* Sid=* SidType=1 TaskCategory=Printers OpCode=Info RecordNumber=* Keywords=Audit Failure, Classic Message=Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: <A href="http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName" target="test_blank">http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</A> Client IP: 117.31.21.102,2603:1001:750:16::5 Error message: ***** Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: ****** at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) </CODE></PRE> <P>So the end result desired is that I get both ip addresses under the field src_ip (so it is multivalue), and that it only tries the regex if it finds the EventCode=411 or 512, etc...</P> <P>What I have so far is this:</P> <P><CODE>(?ms)(?:\G(?!\A)\s*,\s*|EventCode=411\R.*?\R)\K(?P&lt;src_ip&gt;(?:\d{1,3}\.){3}(?:\d{1,3})|(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}[\d%A-Fa-f.]*(?:::)?|::[\dA-Fa-f.]{1,15}|::)</CODE> - which was helpfully provided by someone over at stackoverflow.</P> <P>This works in regex101 and any other regex helper sites. However when applied to splunk it only snateches up the first ip. What am I missing her. I have tested each individual part independently(as much as I could) and they have worked.</P> <P>Is there a problem with negative lookaheads in Splunk? </P> <P>Any ideas?</P> Tue, 02 Oct 2018 21:33:47 GMT jig004 2018-10-02T21:33:47Z https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405229#M117141 <P>Stuck on regex question for Ad FS logs. I am trying to extract all ips following a field ("Client IP: ") in a AD FS log.<BR /> My log looks like this (truncated to save space):</P> <PRE><CODE>10/02/2018 09:22:50 AM LogName=Security SourceName=AD FS Auditing EventCode=411 EventType=0 Type=Information ComputerName=* User=* Sid=* SidType=1 TaskCategory=Printers OpCode=Info RecordNumber=* Keywords=Audit Failure, Classic Message=Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: <A href="http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName" target="test_blank">http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</A> Client IP: 117.31.21.102,2603:1001:750:16::5 Error message: ***** Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: ****** at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) </CODE></PRE> <P>So the end result desired is that I get both ip addresses under the field src_ip (so it is multivalue), and that it only tries the regex if it finds the EventCode=411 or 512, etc...</P> <P>What I have so far is this:</P> <P><CODE>(?ms)(?:\G(?!\A)\s*,\s*|EventCode=411\R.*?\R)\K(?P&lt;src_ip&gt;(?:\d{1,3}\.){3}(?:\d{1,3})|(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}[\d%A-Fa-f.]*(?:::)?|::[\dA-Fa-f.]{1,15}|::)</CODE> - which was helpfully provided by someone over at stackoverflow.</P> <P>This works in regex101 and any other regex helper sites. However when applied to splunk it only snateches up the first ip. What am I missing her. I have tested each individual part independently(as much as I could) and they have worked.</P> <P>Is there a problem with negative lookaheads in Splunk? </P> <P>Any ideas?</P> Tue, 02 Oct 2018 21:33:47 GMT https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405229#M117141 jig004 2018-10-02T21:33:47Z https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405230#M117142 <P>Hi @jig004,</P> <P>If you have <CODE>Splunk_TA_windows</CODE> installed on your search head then it will parse <CODE>EventCode</CODE> field and you will able to use below search to extract IP address. In below query regex which I have provided is based on sample data you have provided if you really want to extract all IPv6 range then you need to change regex accordingly.</P> <PRE><CODE>index=&lt;yourindex&gt; EventCode=411 OR EventCode=512 | rex field=_raw max_match=0 "(?&lt;IP&gt;(?:\d{1,3}\.){1,3}\d{1,3}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3})" </CODE></PRE> Thu, 04 Oct 2018 14:48:07 GMT https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405230#M117142 harsmarvania57 2018-10-04T14:48:07Z https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405231#M117143 <P>Did you ever solve this issue?</P> <P>I tried using <CODE>| mvexpand src_ip</CODE>but that didn't grab all of the IP values </P> <P>Thx</P> Mon, 05 Aug 2019 16:34:06 GMT https://community.splunk.com/t5/Splunk-Search/AD-FS-ip-field-extraction/m-p/405231#M117143 jwalzerpitt 2019-08-05T16:34:06Z