https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545417#M154483 <P>Hello All,</P><P>I am not good in Regular Expressions, I need you assist.</P><P>In my data, I have a field containing IPs and Ports but in specific sequence:<BR /><BR /></P><P>...some text ... SourceIP DestIP SrcPort DestPort ....some text...<BR />between them there is one SPACE.<BR />as an example:<BR />message=...w 2-APIS 0-External-1 tcp 10.0.12.13 40.126.31.8 55373 443 msg=\"HTTS...<BR /><BR />I need to extract fields for SrcIP, DestIP, SrcPort and DestPort.<BR />when I use</P><P>&nbsp;\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \d* \d*</P><P>OR</P><P>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3} (?:[0-9]{1,3}\.){3}[0-9]{1,3}\b&nbsp;\d* \d*<BR />I can grab the 2 IPs and ports&nbsp; with spaces between them.<BR />I am confused about how to assign each to a new field.<BR />Can someone help?<BR />Or do I have to use REX for search time extraction?<BR />Even to use REX, I appreciate your advices.</P><P>Regards,</P><P>-Ali</P> Thu, 25 Mar 2021 14:49:16 GMT a_n 2021-03-25T14:49:16Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545417#M154483 <P>Hello All,</P><P>I am not good in Regular Expressions, I need you assist.</P><P>In my data, I have a field containing IPs and Ports but in specific sequence:<BR /><BR /></P><P>...some text ... SourceIP DestIP SrcPort DestPort ....some text...<BR />between them there is one SPACE.<BR />as an example:<BR />message=...w 2-APIS 0-External-1 tcp 10.0.12.13 40.126.31.8 55373 443 msg=\"HTTS...<BR /><BR />I need to extract fields for SrcIP, DestIP, SrcPort and DestPort.<BR />when I use</P><P>&nbsp;\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \d* \d*</P><P>OR</P><P>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3} (?:[0-9]{1,3}\.){3}[0-9]{1,3}\b&nbsp;\d* \d*<BR />I can grab the 2 IPs and ports&nbsp; with spaces between them.<BR />I am confused about how to assign each to a new field.<BR />Can someone help?<BR />Or do I have to use REX for search time extraction?<BR />Even to use REX, I appreciate your advices.</P><P>Regards,</P><P>-Ali</P> Thu, 25 Mar 2021 14:49:16 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545417#M154483 a_n 2021-03-25T14:49:16Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545424#M154484 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/176730">@a_n</a>,</P><P>You should use captured group on regex.&nbsp;</P><P>rex sample;</P><LI-CODE lang="markup">| rex field=message "\b(?&lt;src_ip&gt;(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b \b(?&lt;dest_ip&gt;(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b (?&lt;src_port&gt;\d*) (?&lt;dest_port&gt;\d*)"</LI-CODE><P>props.conf extract</P><LI-CODE lang="markup">EXTRACT-fields = \b(?&lt;src_ip&gt;(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b \b(?&lt;dest_ip&gt;(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b (?&lt;src_port&gt;\d*) (?&lt;dest_port&gt;\d*)</LI-CODE> Thu, 25 Mar 2021 15:02:53 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545424#M154484 scelikok 2021-03-25T15:02:53Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545426#M154485 <P>Dears,<BR />I used this:<BR />(?&lt;srcip&gt;\d+\.\d+\.\d+\.\d+) (?&lt;dstip&gt;\d+\.\d+\.\d+\.\d+) (?&lt;srcpt&gt;\d+) (?&lt;dstpt&gt;\d+)<BR /><BR />Seems ok, but does anyone have better idea?</P> Thu, 25 Mar 2021 15:03:43 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545426#M154485 a_n 2021-03-25T15:03:43Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545428#M154487 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/176730">@a_n</a>,</P><P>please try this:</P><LI-CODE lang="markup">| rex "(?&lt;src_ip&gt;\d+\.\d+\.\d+\.\d+)\s+(?&lt;dest_ip&gt;\d+\.\d+\.\d+\.\d+)\s+(?&lt;src_port&gt;\d+)\s+(?&lt;dest_port&gt;\d+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/UTRazw/1" target="_blank">https://regex101.com/r/UTRazw/1</A></P><P>if you could share two or three full samples of your logs I could be more precise.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 25 Mar 2021 15:04:34 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545428#M154487 gcusello 2021-03-25T15:04:34Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545429#M154488 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;<BR /><BR />Undersood.</P><P>&nbsp;</P> Thu, 25 Mar 2021 15:05:18 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545429#M154488 a_n 2021-03-25T15:05:18Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545430#M154489 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thank you</P> Thu, 25 Mar 2021 15:07:27 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-rex-maybe/m-p/545430#M154489 a_n 2021-03-25T15:07:27Z