topic Re: Regex help! in Splunk Search

Regex help!

kiran331 — Wed, 22 Feb 2017 15:17:24 GMT

How to extract the Ips from the below windows event both Client IP-1 and Client Ip-2

02/22/2017 09:05:24 AM
LogName=Security
SourceName=AD FS Auditing
EventCode=411
EventType=0
Type=Information
ComputerName=ADSFS.ab.com
User=add
Sid=1244
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=4033770
Keywords=Audit Failure, Classic
Message=Token validation failed. See inner exception for more details.

Additional Data

Activity ID: 00000000-0000-0000-0000-000000000000

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName

Client IP:
133.44.55.20.81,122.333.44.55.

Error message:
kiran@ab.com

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: kiran@ab.com
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

Re: Regex help!

adayton20 — Wed, 22 Feb 2017 16:02:20 GMT

Is this what you're looking for?

| rex field=_raw "(IP\:\s+|\d+\,)(?P<ClientIP>.*)."
| makemv delim="," ClientIP

This should extract the IPs and separate them into their own values.

Re: Regex help!

woodcock — Wed, 22 Feb 2017 16:04:52 GMT

Like this (for IPV4):

... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+\.\d+\.\d+\.\d+)"

I do note that you have an IPV5 IP in your example???

Re: Regex help!

DalJeanis — Wed, 22 Feb 2017 17:07:58 GMT

If IPV5 is in play, then you probably want

 ... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+\.\d+\.\d+\.\d+(\.\d+)?)"

 ... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+(\.\d+){3,4})"

Re: Regex help!

woodcock — Thu, 23 Feb 2017 07:54:38 GMT

Yes, I could have accommodated it but I figured it was a mistake/typo.