Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parsing a field, how can I tell if the value is an IP or a hostname (string)?

reswob4
Builder
‎04-29-2016 10:33 AM

If I parse out a field, how can I tell if the value is an IP or a hostname?

timestamp host error: Auth fail user1 from 1.2.3.4
timestamp host error: Auth fail user2 from host.machine.com

While it's easy to put that last info into a field called source,

EXTRACT-user,source = error: Auth fail (?<user>.+?) from (?<source>.+)

I need to find out if the source is an IP or a hostname.

What is the syntax in props.conf to do that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-29-2016 10:44 AM

Like this:

error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))

View solution in original post

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎04-29-2016 10:47 AM

You might be able to use alternation to optionally extract an additional field (I haven't tried this in Splunk yet, but the theory goes like this):

EXTRACT-user,source,ip_source = error : Auth fail (?<user>\S+) from (?<source>(?<ip_source>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|.+))

(Yes that is an overly broad match for an ipv4 address but bear with me here)

When you have an ipaddress you will have an extra field called ip_source, when you do not, you won't. So you can then test if the ip_source field is populated or null will tell you if the source is an ip address or not.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-29-2016 10:44 AM

Like this:

error: Auth fail (?:(?<user>.+?) from (?<source_ip>\d+\.\d+\.\d+\.\d+)|(?<source_hostname>.+))
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...