https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438624#M124844 <P>Try <CODE>component=tcpinconnection</CODE>.</P> Thu, 14 Mar 2019 12:23:40 GMT richgalloway 2019-03-14T12:23:40Z https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438620#M124840 <P>One of my ongoing gripes with splunk is that there is no way to see the IP and the hostname -- either my forwarder sends a hostname, or an IP. Not both. I know the information is there, as I can see it in the _internal splunkd log.<BR /> So, I was trying to make a list of all IP+hostnames out of this list:</P> <PRE><CODE>index=_internal uri=* component=HttpPubSubConnection </CODE></PRE> <P>Result: </P> <PRE><CODE>HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_ipaddress_8089_instancename_hostname_FAB4D96E-5A4A-4593-8914-635506217E40 </CODE></PRE> <P>In the URI, it has the ip and a hostname. So, I want to extract this!<BR /> In the splunk field extractor, I type my own regex,</P> <PRE><CODE> ^(?:[^_]+_){4}(?P&lt;internal_ip&gt;[^_ ]+) </CODE></PRE> <P>This works great! It shows all my matches, I save it, run my search, all is well.</P> <P>Now if I do the same without the props.conf:</P> <PRE><CODE>index=_internal uri=* component=HttpPubSubConnection | regex "^(?:[^_]+_){1}(?P&lt;internal_ip&gt;[^_ ]+)" | table internal_ip </CODE></PRE> <P>Nothing.<BR /> I could do it all via props.conf, but there are so many situations where that regex matches outside the specific search I want to run that I figured it was much more efficient to just do the regex in the search string. But, no extraction seems to be happening.<BR /> Any suggestions?</P> Tue, 12 Mar 2019 20:43:11 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438620#M124840 oliverj 2019-03-12T20:43:11Z https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438621#M124841 <P>The <CODE>regex</CODE> command does not do field extractions. Use <CODE>rex</CODE>, instead.</P> <PRE><CODE>... | rex field=uri "[^_]+_(?P&lt;internal_ip&gt;[^_ ]+)_\d+_[^_]+_(?&lt;hostname&gt;[^_]+)" | ... </CODE></PRE> Tue, 12 Mar 2019 21:02:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438621#M124841 richgalloway 2019-03-12T21:02:25Z https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438622#M124842 <P>That was exactly what I needed. Thank you.</P> Wed, 13 Mar 2019 13:26:55 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438622#M124842 oliverj 2019-03-13T13:26:55Z https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438623#M124843 <P>To anyone who finds this post later -- this is a terrible search. I just realized it only pulls data from hosts that use deployment servers, not all UniversalForwarders. So anything that sends without being a part of the deployment server (for us, hundreds of devices we don't own) will not show up. Sigh.</P> <P>But the search/extraction still works great! Just...back to the drawing board.</P> Wed, 13 Mar 2019 13:56:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438623#M124843 oliverj 2019-03-13T13:56:25Z https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438624#M124844 <P>Try <CODE>component=tcpinconnection</CODE>.</P> Thu, 14 Mar 2019 12:23:40 GMT https://community.splunk.com/t5/Splunk-Search/Regex-and-extracting-the-IP-hostname-from-internal/m-p/438624#M124844 richgalloway 2019-03-14T12:23:40Z