Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction (rex maybe?)

a_n
Path Finder
‎03-25-2021 07:49 AM

Hello All,

I am not good in Regular Expressions, I need you assist.

In my data, I have a field containing IPs and Ports but in specific sequence:

...some text ... SourceIP DestIP SrcPort DestPort ....some text...
between them there is one SPACE.
as an example:
message=...w 2-APIS 0-External-1 tcp 10.0.12.13 40.126.31.8 55373 443 msg=\"HTTS...

I need to extract fields for SrcIP, DestIP, SrcPort and DestPort.
when I use

 \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \d* \d*

OR

\b(?:[0-9]{1,3}\.){3}[0-9]{1,3} (?:[0-9]{1,3}\.){3}[0-9]{1,3}\b \d* \d*
I can grab the 2 IPs and ports  with spaces between them.
I am confused about how to assign each to a new field.
Can someone help?
Or do I have to use REX for search time extraction?
Even to use REX, I appreciate your advices.

Regards,

-Ali

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-25-2021 08:02 AM

Hi @a_n,

You should use captured group on regex. 

rex sample;

| rex field=message "\b(?<src_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b \b(?<dest_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b (?<src_port>\d*) (?<dest_port>\d*)"

props.conf extract

EXTRACT-fields = \b(?<src_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b \b(?<dest_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b (?<src_port>\d*) (?<dest_port>\d*)
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

a_n
Path Finder
‎03-25-2021 08:05 AM

Thank you @scelikok 

Undersood.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-25-2021 08:04 AM

Hi @a_n,

please try this:

| rex "(?<src_ip>\d+\.\d+\.\d+\.\d+)\s+(?<dest_ip>\d+\.\d+\.\d+\.\d+)\s+(?<src_port>\d+)\s+(?<dest_port>\d+)"

that you can test at https://regex101.com/r/UTRazw/1

if you could share two or three full samples of your logs I could be more precise.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

a_n
Path Finder
‎03-25-2021 08:07 AM

@gcusello 

Thank you

0 Karma
Reply
Solved! Jump to solution

a_n
Path Finder
‎03-25-2021 08:03 AM

Dears,
I used this:
(?<srcip>\d+\.\d+\.\d+\.\d+) (?<dstip>\d+\.\d+\.\d+\.\d+) (?<srcpt>\d+) (?<dstpt>\d+)

Seems ok, but does anyone have better idea?

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-25-2021 08:02 AM

Hi @a_n,

You should use captured group on regex. 

rex sample;

| rex field=message "\b(?<src_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b \b(?<dest_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b (?<src_port>\d*) (?<dest_port>\d*)"

props.conf extract

EXTRACT-fields = \b(?<src_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b \b(?<dest_ip>(?:[0-9]{1,3}\.){3}[0-9]{1,3})\b (?<src_port>\d*) (?<dest_port>\d*)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...