I have this line from my Windows logs :
**** ALERT **** 10.0.0.3 gave false logon/password to POP server; user: desk1@mydomain.com
But I want to extract "10.0.0.3" and shows how many times "10.0.0.3" or any other IP Address gave false logon in a day on a bar chart. Tried to google rex but i'm still in the dark. Can anyone help me how to extract "10.0.0.3" ?
rex "\*\*\*\* ALERT \*\*\*\* (?<IP_Add>) ....
??? I have no idea how to do it.
Thanks,
Frank
This should do it:
... | rex "\*{4} ALERT \*{4} (?<IP_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
... | rex "\*{4} ALERT \*{4} (?<IP_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*(?<email>[\S]+)$"
should do it.
/kristian
updated with correct highlighting to show the backslashes. sorry. /k
Thanks Ayn .. It works.
I just received a new requirement. Users also wanted to retrieve the email address desk1@mydomain.com. Can you help me ? Can we extract the two fields in one rex ?
Try this (updated for new requirement to extract email address)
yoursearch |
rex "ALERT \*+\s(?<ip_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.*?user:\s(?<email>\S+)" |
chart count by ip_add email
BTW, you may find http://www.regular-expressions.info a helpful site; it's one of my favorites.
https://www.regular-expressions.info/
The link above is broken (last o is missing)
This should do it:
... | rex "\*{4} ALERT \*{4} (?<IP_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
What is the reason why the asterisk can be repeated with {4}, but \d{1,3}. cannot?