Re: search time regular expression.

jsuryaprakash · ‎08-01-2019

Hi All , below is my sample data. We are receiving data using key=value pairs like below.

time=time1 | dest_ip=abmncd.com-123.45.64.78|src_ip=nahahha.com-142.36.28.69|action=success........

I just want to extract just ip address's from dest_ip and src_ip fields at search time in props.conf . when i write rex in search its working, below is my search command which is working..

index =test | rex field=dest_ip "(?(\d{1,3}.){3}\d{1,3})" |rex field src_ip "(?(\d{1,3}.){3}\d{1,3})"

But when i create inline extract in props.conf its not working.

[sourcetype]
EXTRACT-dest_ip = dest_ip="(?(\d{1,3}.){3}\d{1,3})"
EXTRACT-src_ip = src_ip ="(?(\d{1,3}.){3}\d{1,3})"

We need to use the same field names to work with CIM datamodels. we are ok with search time extraction or index time extractions also.Please help

Thanks

gaurav_maniar · ‎08-02-2019

Hi Jsuryaprakash,

Your EXTRACT stanza syntax is incorrect, change it to

EXTRACT-dest_ip = dest_ip\=[^\-]+\-(?P<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
EXTRACT-src_ip = src_ip\=[^\-]+\-(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Please upvote and accept the answer if it helps.

jsuryaprakash · ‎08-02-2019

No, its not working. Still field are coming with dns name ip combinations.

gaurav_maniar · ‎08-07-2019

Splunk restart is restart is required if any configuration changes are done, have restarted splunk after these configuration changes?

Even after restart it doesn't work, let me know.

search time regular expression.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms