topic Re: Regex expression to extract IP from a raw log file in Splunk Search

Regex expression to extract IP from a raw log file

ssaini5 — Wed, 12 Aug 2020 19:18:17 GMT

Hi all,

I am trying to extract an IP and the word "HOST_NAME" from a raw log file using the following regex expression:

source="/var/tmp/test.log" | rex field=_raw "(?<HOST_NAME>) \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b"

Log file:

EXEC_ID: HOST_NAME: 172.19.20.60 USER_NAME: test ================================ TestCaseRunner Summary ----------------------------- Time Taken: 13844ms Total TestSuites: 2 Total TestCases: 6 (0 failed) Total TestSteps: 16 Total Request Assertions: 19 Total Failed Assertions: 0 Total Exported Results: 0

The search results are not extracting the HOST_NAME field and the respective IP. Please suggest what should I change.

Thank you

Re: Regex expression to extract IP from a raw log file

thambisetty — Wed, 12 Aug 2020 19:21:48 GMT

| rex “HOST_NAME:\s+(?<HOST_NAME>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})”

Re: Regex expression to extract IP from a raw log file

ssaini5 — Wed, 12 Aug 2020 19:27:07 GMT

Hi @thambisetty ,

Thanks for the reply. The search is working but the field "HOST_NAME" is still not extracted as a separate field on which I can filter on further.

Re: Regex expression to extract IP from a raw log file

thambisetty — Wed, 12 Aug 2020 19:28:49 GMT

Try changing second hostname in rex command. Say test for example and and see if you are getting ip into it.

Re: Regex expression to extract IP from a raw log file

ssaini5 — Wed, 12 Aug 2020 19:38:46 GMT

That worked thanks a ton 🙂

Re: Regex expression to extract IP from a raw log file

thambisetty — Wed, 12 Aug 2020 19:39:35 GMT

Great.

Up vote is rally appreciated.