Archive2

Help with combining fields

Communicator

I have a pair of fields, "src_ip" and "dst_ip", that I want to combine into a single field, "IP", and then chart results based on the values of the new field, IP.

I thought that I could use regex as follows:

...|rex field=_raw "(src_ip=|dst_ip=)(?\d+.\d+.\d+.\d+)"

however, when I try to run that to "... |stats count(inst) by IP" I get results that match those I would get if I had run "...|stats count(inst) by src_ip"

please educate me?

Tags (2)
1 Solution

Motivator

If you are trying to get a multi-value field, then your main issue is that by default rex will only look for the first match. You can use max_match to change that. You also need to specify a field name for your capture group:

| rex field=_raw max_match=5 "(src_ip|dst_ip)=(?<IP>\d+\.\d+\.\d+\.\d)"

If your objective is to run stats by source/dest pair, then you can do simple string concatenation as ftk suggests. That will give you a single-value field containing a source-destination pair. You may also want to add a delimiter for readability:

| eval IP = src_ip." / ".dst_ip

If you want a single-value field containing src_ip or dst_ip, but the events contain only one or the other, then you can use:

| eval IP = coalesce(src_ip, dst_ip)

View solution in original post

Motivator

If you are trying to get a multi-value field, then your main issue is that by default rex will only look for the first match. You can use max_match to change that. You also need to specify a field name for your capture group:

| rex field=_raw max_match=5 "(src_ip|dst_ip)=(?<IP>\d+\.\d+\.\d+\.\d)"

If your objective is to run stats by source/dest pair, then you can do simple string concatenation as ftk suggests. That will give you a single-value field containing a source-destination pair. You may also want to add a delimiter for readability:

| eval IP = src_ip." / ".dst_ip

If you want a single-value field containing src_ip or dst_ip, but the events contain only one or the other, then you can use:

| eval IP = coalesce(src_ip, dst_ip)

View solution in original post

Communicator

max_match is my ticket. Thank you!

0 Karma
Reply

Motivator

You can concatenate multiple fields together using eval:

your search | eval IP = src_ip.dst_ip