Security

search time regular expression.

Path Finder

Hi All , below is my sample data. We are receiving data using key=value pairs like below.

time=time1 | dest_ip=abmncd.com-123.45.64.78|src_ip=nahahha.com-142.36.28.69|action=success........

I just want to extract just ip address's from dest_ip and src_ip fields at search time in props.conf . when i write rex in search its working, below is my search command which is working..

index =test | rex field=dest_ip "(?(\d{1,3}.){3}\d{1,3})" |rex field src_ip "(?(\d{1,3}.){3}\d{1,3})"

But when i create inline extract in props.conf its not working.

[sourcetype]
EXTRACT-dest_ip = dest_ip="(?(\d{1,3}.){3}\d{1,3})"
EXTRACT-src_ip = src_ip ="(?(\d{1,3}.){3}\d{1,3})"

We need to use the same field names to work with CIM datamodels. we are ok with search time extraction or index time extractions also.Please help

Thanks

Tags (1)
0 Karma

Hi Jsuryaprakash,

Your EXTRACT stanza syntax is incorrect, change it to

EXTRACT-dest_ip = dest_ip\=[^\-]+\-(?P<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
EXTRACT-src_ip = src_ip\=[^\-]+\-(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Please upvote and accept the answer if it helps.

0 Karma

Path Finder

No, its not working. Still field are coming with dns name ip combinations.

0 Karma

Splunk restart is restart is required if any configuration changes are done, have restarted splunk after these configuration changes?

Even after restart it doesn't work, let me know.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!