https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26734#M5177 <P>I am trying to extract an IP address into a field, however the same information occurs on two different logs, with two different logging methods. </P> <P>I am attempting to extract the field with just one RegEx statement, but I can't seem to get the "AND" or "OR" portion of RegEx to recognize both data sets. </P> <P>This is what I have:<BR /> src\s-\s(?<EXT_IP>\d+.\d+.\d+.\d+) OR DENIED\s-\s(?<EXT_IP>\d+.\d+.\d+.\d+)</EXT_IP></EXT_IP></P> <P>I am attempting to extract the external IP address, from two different devices with 1 RegEx statement and put either 'hit' into the field "ext_ip". </P> <P>here are the two message types:<BR /> DENIED - 10.10.10.10:8080 | <BR /> src - 10.10.10.10:8080</P> <P>Does anyone know of a way to do this? </P> Wed, 07 Nov 2012 17:02:21 GMT tmarlette 2012-11-07T17:02:21Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26734#M5177 <P>I am trying to extract an IP address into a field, however the same information occurs on two different logs, with two different logging methods. </P> <P>I am attempting to extract the field with just one RegEx statement, but I can't seem to get the "AND" or "OR" portion of RegEx to recognize both data sets. </P> <P>This is what I have:<BR /> src\s-\s(?<EXT_IP>\d+.\d+.\d+.\d+) OR DENIED\s-\s(?<EXT_IP>\d+.\d+.\d+.\d+)</EXT_IP></EXT_IP></P> <P>I am attempting to extract the external IP address, from two different devices with 1 RegEx statement and put either 'hit' into the field "ext_ip". </P> <P>here are the two message types:<BR /> DENIED - 10.10.10.10:8080 | <BR /> src - 10.10.10.10:8080</P> <P>Does anyone know of a way to do this? </P> Wed, 07 Nov 2012 17:02:21 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26734#M5177 tmarlette 2012-11-07T17:02:21Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26735#M5178 <P>in the above RegEx statements, it keeps removing the backslash, so simply assume they are there in the RegEx statement above. <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P> Wed, 07 Nov 2012 17:03:47 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26735#M5178 tmarlette 2012-11-07T17:03:47Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26736#M5179 <P>You could try the built in Splunk extraction, since they are 2 different logs and logging methods, just extract the field "src_ip" in each, do a search including both log types and you will get the extracted results from both automagically.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.2/User/InteractiveFieldExtractionExample">http://docs.splunk.com/Documentation/Splunk/4.3.2/User/InteractiveFieldExtractionExample</A></P> Wed, 07 Nov 2012 17:53:38 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26736#M5179 axinjakson 2012-11-07T17:53:38Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26737#M5180 <P>It treats the backslash as an escape character. To get one to print within the body of the text, you'll have to use two together.</P> Wed, 07 Nov 2012 18:20:20 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26737#M5180 sowings 2012-11-07T18:20:20Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26738#M5181 <P>Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:</P> <P><CODE>(DENIED|src)\s-\s(?&lt;ip_here&gt;\d+\.\d+\.\d+\.\d+)</CODE></P> Wed, 07 Nov 2012 18:22:21 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26738#M5181 sowings 2012-11-07T18:22:21Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26739#M5182 <P>This worked perfectly!!! Thank you very much!</P> Wed, 07 Nov 2012 21:35:45 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26739#M5182 tmarlette 2012-11-07T21:35:45Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26740#M5183 <P>Consider accepting the answer if it helped you; in this way, others know that a good solution was found.</P> Thu, 08 Nov 2012 13:22:21 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26740#M5183 sowings 2012-11-08T13:22:21Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26741#M5184 <P>hey there i hope this would help you.</P> <HR /> <P><CODE>D?E?N?I?E?D?s?r?c?\s-\s(?&lt;ext_ip&gt;d+.d+.d+.d+):\d{4}</CODE></P> Sat, 16 Mar 2013 19:28:01 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26741#M5184 eashwar 2013-03-16T19:28:01Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26742#M5185 <P>Even you can solve the problem like this, you can give one same field with 2 diffrent extraction based on DENIED and src from splunk Web Gui.</P> <P>Kamal Bisht</P> Sun, 17 Mar 2013 03:38:02 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26742#M5185 kml_uvce 2013-03-17T03:38:02Z https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26743#M5186 <P>Note that your regex above would allow for many different prefixes before the IP and port, like:</P> <P>DEDrc -<BR /> EIE - <BR /> Dc -<BR /> DD -<BR /> ENDs -</P> <P>etc.</P> Mon, 18 Mar 2013 17:05:27 GMT https://community.splunk.com/t5/Splunk-Search/RegEx-AND-OR/m-p/26743#M5186 sowings 2013-03-18T17:05:27Z