Solved: Extract IP Address with rex or trim

frankagustinus · ‎06-01-2012

I have this line from my Windows logs :

**** ALERT **** 10.0.0.3 gave false logon/password to POP server; user: desk1@mydomain.com

But I want to extract "10.0.0.3" and shows how many times "10.0.0.3" or any other IP Address gave false logon in a day on a bar chart. Tried to google rex but i'm still in the dark. Can anyone help me how to extract "10.0.0.3" ?

rex "\*\*\*\* ALERT \*\*\*\* (?<IP_Add>) ....

??? I have no idea how to do it.

Thanks,
Frank

Ayn · ‎06-01-2012

This should do it:

... | rex "\*{4} ALERT \*{4} (?<IP_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

View solution in original post

kristian_kolb · ‎06-01-2012

... | rex "\*{4} ALERT \*{4} (?<IP_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*(?<email>[\S]+)$"

should do it.

/kristian

kristian_kolb · ‎06-01-2012

updated with correct highlighting to show the backslashes. sorry. /k

frankagustinus · ‎06-01-2012

Thanks Ayn .. It works.

I just received a new requirement. Users also wanted to retrieve the email address desk1@mydomain.com. Can you help me ? Can we extract the two fields in one rex ?

lguinn2 · ‎06-01-2012

Try this (updated for new requirement to extract email address)

yoursearch |
rex "ALERT \*+\s(?<ip_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.*?user:\s(?<email>\S+)" |
chart count by ip_add email

BTW, you may find http://www.regular-expressions.info a helpful site; it's one of my favorites.

tdthorwald · ‎05-31-2019

https://www.regular-expressions.info/

The link above is broken (last o is missing)

Ayn · ‎06-01-2012

This should do it:

... | rex "\*{4} ALERT \*{4} (?<IP_add>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

tdthorwald · ‎05-31-2019

What is the reason why the asterisk can be repeated with {4}, but \d{1,3}. cannot?

Extract IP Address with rex or trim

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann