Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Could someone provide regex help?

tkerr1357
Path Finder
‎04-07-2022 12:40 PM

Hey all , 

just need a little regex help trying to pull an IP address out  and its not working.

here is my rex 

| rex field=_raw "Remote host:(?<Remotehost>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

here is an example event 

4/7/22
3:11:32.000 PM
 
04/07/2022 03:11:32 PM LogName=Security EventCode=4779 EventType=0 ComputerName=BPSQCP00S080.rightnetworks.com SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=115076290 Keywords=Audit Success TaskCategory=Other Logon/Logoff Events OpCode=Info Message=A session was disconnected from a Window Station. Subject: Account Name: 705628 Account Domain: RIGHTNETWORKS Logon ID: 0x13887BFB Session: Session Name: RDP-Tcp#81 Additional Information: Client Name: DESKTOP-PIT40LB Client Address: 73.175.205.64
Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-07-2022 12:59 PM

Your event doesn't have "Remote host:" in it

0 Karma
Reply

tkerr1357
Path Finder
‎04-07-2022 01:00 PM

sorry sent the wrong rex 

| rex "Client Address:(?<clientaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-07-2022 01:05 PM

Your event has a space after the colon which isn't in your rex expression.

https://regex101.com/r/EeHQwE/1 

0 Karma
Reply

mayurr98
Super Champion
‎04-07-2022 01:28 PM

best to use "\s*" instead of "\s" if you are not sure if there will be a space is future events or not.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...