Hi All,
what should be the regex while doing event extraction for srcip
eventtime=1604591829395228259 appid=41 srcip=192.168.1.1 dstip=192.168.2.2 srcport=47450 dstport=443
Hi @pavanbmishra,
you shouldn't need to extract the srcip field because Splunk automatically recognizes the pairs "field=value".
Anyway, you can extract the value of srcip using the following regex:
| rex "srcip\=(?<srcip>\d+\.\d+\.\d+\.\d+)"
that you can test at https://regex101.com/r/fJaZwd/1
Ciao.
Giuseppe
Hi @pavanbmishra,
you shouldn't need to extract the srcip field because Splunk automatically recognizes the pairs "field=value".
Anyway, you can extract the value of srcip using the following regex:
| rex "srcip\=(?<srcip>\d+\.\d+\.\d+\.\d+)"
that you can test at https://regex101.com/r/fJaZwd/1
Ciao.
Giuseppe
Thanks,
And what about action field here
applist="sniffer-profile" action="pass" appcat="Network.Service"
Hi @pavanbmishra,
sam answer: you don't need field extractions, but if you want you can use one or three similar regexes:
one regex
| rex "applist\=\"(?<applist>[^\"]+)\"\s+action\=\"(?<action>[^\"]+)\"\s+ appcat\=\"(?<appcat>[^\"]+)\""
three regexes:
| rex "applist\=\"(?<applist>[^\"]+)\""
| rex "action\=\"(?<action>[^\"]+)\""
| rex "appcat\=\"(?<appcat>[^\"]+)\""
Ciao.
Giuseppe