Re: more regex help

tkerr1357 · ‎04-07-2022

Hey all ,

just need a little regex help trying to pull an IP address out and its not working.

here is my rex

| rex field=_raw "Remote host:(?<Remotehost>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

here is an example event

4/7/22
3:11:32.000 PM

04/07/2022 03:11:32 PM LogName=Security EventCode=4779 EventType=0 ComputerName=BPSQCP00S080.rightnetworks.com SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=115076290 Keywords=Audit Success TaskCategory=Other Logon/Logoff Events OpCode=Info Message=A session was disconnected from a Window Station. Subject: Account Name: 705628 Account Domain: RIGHTNETWORKS Logon ID: 0x13887BFB Session: Session Name: RDP-Tcp#81 Additional Information: Client Name: DESKTOP-PIT40LB Client Address: 73.175.205.64

ITWhisperer · ‎04-07-2022

Your event doesn't have "Remote host:" in it

tkerr1357 · ‎04-07-2022

sorry sent the wrong rex

| rex "Client Address:(?<clientaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

ITWhisperer · ‎04-07-2022

Your event has a space after the colon which isn't in your rex expression.

https://regex101.com/r/EeHQwE/1

mayurr98 · ‎04-07-2022

best to use "\s*" instead of "\s" if you are not sure if there will be a space is future events or not.

Could someone provide regex help?

regex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!