If I parse out a field, how can I tell if the value is an IP or a hostname?
timestamp host error: Auth fail user1 from 1.2.3.4
timestamp host error: Auth fail user2 from host.machine.com
While it's easy to put that last info into a field called source,
EXTRACT-user,source = error: Auth fail (?<user>.+?) from (?<source>.+)
I need to find out if the source is an IP or a hostname.
What is the syntax in props.conf to do that?
Like this:
error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))
You might be able to use alternation to optionally extract an additional field (I haven't tried this in Splunk yet, but the theory goes like this):
EXTRACT-user,source,ip_source = error : Auth fail (?<user>\S+) from (?<source>(?<ip_source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|.+))
(Yes that is an overly broad match for an ipv4 address but bear with me here)
When you have an ipaddress you will have an extra field called ip_source, when you do not, you won't. So you can then test if the ip_source field is populated or null will tell you if the source is an ip address or not.
Like this:
error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))