https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37261#M8303 <P>The regexes I listed above are meant to go into props.conf. </P> <P>Also, when posting, use the backtick (`) around code examples. otherwise a lot of stuff will be filtered out.</P> Thu, 16 May 2013 21:55:37 GMT kristian_kolb 2013-05-16T21:55:37Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37253#M8295 <P>In my log data I get lines that look like this:<BR /> dst=10.0.59.59:80:X1<BR /> dst=255.255.255.255:67:X0<BR /> dst=10.0.59.59:9060:X1<BR /> dst=0.0.0.0:0:X0<BR /> dst=224.0.0.5:1</P> <P>The first value is an IP address. The next two values should be port number and interface. I did some field extractions and I can get it to extract all three fields if they are present but when it has only 2 fields it throws away the data. Could you help me write a field extraction regex to get the 2 field and 3 field variants. </P> <P>the field names should be dst_ip, dst_port, dst_interface</P> Mon, 28 Sep 2020 13:55:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37253#M8295 jalfrey 2020-09-28T13:55:33Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37254#M8296 <P>Well, since there might not always be three fields to extract from the same piece of data, I'd do it in two EXTRACTs in props.conf</P> <PRE><CODE>[your sourcetype] EXTRACT-dst_ip_port = \s+dst=(?&lt;dst_ip&gt;[^:]+):(?&lt;dst_port&gt;\d+) EXTRACT-dst_if = \s+dst=[^:]+:\d+:(?&lt;dst_interface&gt;\S+) </CODE></PRE> <P>/K</P> Thu, 16 May 2013 21:03:04 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37254#M8296 kristian_kolb 2013-05-16T21:03:04Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37255#M8297 <P>when I remove the "dst=" and add colons to be beginning and end so it looks like this:<BR /> :10.0.59.59:80:X1:</P> <P>The regex generated looks like:<BR /> (?:[^ \n]* ){3}(?P<FIELDNAME1>[^ ]+)(?:[^.\n]<EM>.){5}\d+(?P<FIELDNAME2>\d+)(?:[^:\n]</FIELDNAME2></EM>:){2}(?P<FIELDNAME3>[^ ]+)</FIELDNAME3></FIELDNAME1></P> <P>When I put your regex into the Interactive field extractor I get nothing. Does the \s+dst need a different beginning?</P> Thu, 16 May 2013 21:15:16 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37255#M8297 jalfrey 2013-05-16T21:15:16Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37256#M8298 <P>oh this seems to work<BR /> (?i) dst=[^:]+:\d+:(?P<DST_INTERFACE>X[0-9])</DST_INTERFACE></P> Thu, 16 May 2013 21:24:59 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37256#M8298 jalfrey 2013-05-16T21:24:59Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37257#M8299 <P>this one is a little better<BR /> (?i) dst=[^:]+:\d+:(?P<DST_INTERFACE>\w[0-9]+)<BR /> I found out we have other things then just X and possibly 2 digits</DST_INTERFACE></P> Thu, 16 May 2013 21:42:22 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37257#M8299 jalfrey 2013-05-16T21:42:22Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37258#M8300 <P>for searching for dst_ip and dst_port this seems to work<BR /> (?i) dst=(?P<DST_IP>\d+.\d+.\d+.\d+):(?P<DST_PORT>[0-9]+)<BR /> No idea if that's efficient</DST_PORT></DST_IP></P> Mon, 28 Sep 2020 13:55:36 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37258#M8300 jalfrey 2020-09-28T13:55:36Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37259#M8301 <P>I would use a transform for this one. I not sure how you event is seperated, this is for space delim event. Using Transforms you can create additional extraction from an already extracted value. </P> <P>example Event : 2012-04-23 13:24:25 SUCCESS 10.0.59.59:9060:2561X0 10.214.1.79:9060:X1</P> <P>First trasnfrom does the following key value pairs from _raw:</P> <UL> <LI>date=2012-04-23</LI> <LI>time=13:24:25</LI> <LI>status=SUCCESS</LI> <LI>scr=10.0.59.59:9060:2561X0</LI> <LI>dst=10.214.1.79:9060:X1</LI> </UL> <P>The second transform does the following by using <STRONG>dst</STRONG> as the source_key to prefrom extraction.</P> <UL> <LI>ip=10.214.1.79</LI> <LI>port=9060</LI> <LI>interface=X1 <CODE></CODE><PRE><CODE> #transforms.conf [some_event] DELIMS = " " FIELDS = date,time,status,scr,dst [dstextract] SOURCE_KEY = dst DELIM = ":" FIELDS = ip,port,interface </CODE></PRE> <CODE></CODE><PRE><CODE> #props.conf [Mysource] MAX_TIMESTAMP_LOOKAHEAD=40 NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false TZ=US/Pacific REPORT-Mysource=some_event,dstextract </CODE></PRE></LI> </UL> <P>Hope this help or gives you some ideas. Dont forget to accept and vote up answers that up.</P> <P>Cheers,</P> Thu, 16 May 2013 21:49:54 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37259#M8301 bmacias84 2013-05-16T21:49:54Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37260#M8302 <P>that's why I put in <CODE>\S+</CODE>, i.e. 'one or more non-whitespace characters' for the interface extraction. If this indeed captures more than intended you should post a couple of full events, or explain more clearly how the fields are delimited in your events.</P> Thu, 16 May 2013 21:52:08 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37260#M8302 kristian_kolb 2013-05-16T21:52:08Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37261#M8303 <P>The regexes I listed above are meant to go into props.conf. </P> <P>Also, when posting, use the backtick (`) around code examples. otherwise a lot of stuff will be filtered out.</P> Thu, 16 May 2013 21:55:37 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37261#M8303 kristian_kolb 2013-05-16T21:55:37Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37262#M8304 <P>this looks good. I see that you posted to do it in flat text. Is there any way to do this in the GUI so I can test the functionality?</P> Thu, 16 May 2013 22:48:06 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37262#M8304 jalfrey 2013-05-16T22:48:06Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37263#M8305 <P>I preform all configurations through direct edit of the conf files. The GUI only provides limited functionality for advanced configurations direct editing is required.</P> Thu, 16 May 2013 23:00:25 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37263#M8305 bmacias84 2013-05-16T23:00:25Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37264#M8306 <P>when I change the props.conf do I need to restart splunk?</P> Mon, 17 Jun 2013 20:15:15 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37264#M8306 jalfrey 2013-06-17T20:15:15Z https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37265#M8307 <P>yes you must do a splunk restart</P> Mon, 17 Jun 2013 20:19:01 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-extracting-ip-port-and-interface/m-p/37265#M8307 jalfrey 2013-06-17T20:19:01Z