Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing a field, how can I tell if the value is an IP or a hostname (string)?

reswob4
Builder
‎04-29-2016 10:33 AM

If I parse out a field, how can I tell if the value is an IP or a hostname?

timestamp host error: Auth fail user1 from 1.2.3.4
timestamp host error: Auth fail user2 from host.machine.com

While it's easy to put that last info into a field called source,

EXTRACT-user,source = error: Auth fail (?<user>.+?) from (?<source>.+)

I need to find out if the source is an IP or a hostname.

What is the syntax in props.conf to do that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-29-2016 10:44 AM

Like this:

error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))

View solution in original post

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-29-2016 10:47 AM

You might be able to use alternation to optionally extract an additional field (I haven't tried this in Splunk yet, but the theory goes like this):

EXTRACT-user,source,ip_source = error : Auth fail (?<user>\S+) from (?<source>(?<ip_source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|.+))

(Yes that is an overly broad match for an ipv4 address but bear with me here)

When you have an ipaddress you will have an extra field called ip_source, when you do not, you won't. So you can then test if the ip_source field is populated or null will tell you if the source is an ip address or not.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-29-2016 10:44 AM

Like this:

error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...