Solved: Parsing a field, how can I tell if the value is an...

reswob4 · ‎04-29-2016

If I parse out a field, how can I tell if the value is an IP or a hostname?

timestamp host error: Auth fail user1 from 1.2.3.4
timestamp host error: Auth fail user2 from host.machine.com

While it's easy to put that last info into a field called source,

EXTRACT-user,source = error: Auth fail (?<user>.+?) from (?<source>.+)

I need to find out if the source is an IP or a hostname.

What is the syntax in props.conf to do that?

woodcock · ‎04-29-2016

Like this:

error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))

View solution in original post

acharlieh · ‎04-29-2016

You might be able to use alternation to optionally extract an additional field (I haven't tried this in Splunk yet, but the theory goes like this):

EXTRACT-user,source,ip_source = error : Auth fail (?<user>\S+) from (?<source>(?<ip_source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|.+))

(Yes that is an overly broad match for an ipv4 address but bear with me here)

When you have an ipaddress you will have an extra field called ip_source, when you do not, you won't. So you can then test if the ip_source field is populated or null will tell you if the source is an ip address or not.

woodcock · ‎04-29-2016

Like this:

error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))

Parsing a field, how can I tell if the value is an IP or a hostname (string)?

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!