Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract two fields as a single field in my search result.

ranjyotiprakash
Communicator
‎04-29-2012 10:26 PM

How can I extract two fields as a single field in my search result. The log format is as follows :

Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.732 -0700 barracuda WF ALER SQL_INJECTION_IN_URL 99.99.182.1 44727 99.99.83.74 80 security-policy GLOBAL DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 99.99.83.74/index.html// HTTP "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44727 "-" "-"

The two fields in bold letters are the application_ip and application_port fields respectively. And I want to extract the two fields together in my search results in the format of application_ip:application:port . How can this be done ?
Please help ...
Thanks...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎04-29-2012 11:07 PM

Here is an extraction that should work with the above sample event text.I don't know what all your events look like so I can only provide an example regex based on what you provided, therefore you may need to adjust the regex as necessary to work with a wider selection of event text formats.

... | rex field=_raw "^(?i).+barracuda\s\w+\s\w+\s\w+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{2,5}\s(?<ipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<port>\d{2,5})\s.+$" | eval ip_port=ipaddress+":"+port | table ip_port

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Damien_Dallimor
Ultra Champion
‎04-29-2012 11:07 PM

Here is an extraction that should work with the above sample event text.I don't know what all your events look like so I can only provide an example regex based on what you provided, therefore you may need to adjust the regex as necessary to work with a wider selection of event text formats.

... | rex field=_raw "^(?i).+barracuda\s\w+\s\w+\s\w+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{2,5}\s(?<ipaddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s(?<port>\d{2,5})\s.+$" | eval ip_port=ipaddress+":"+port | table ip_port
0 Karma
Reply
Solved! Jump to solution

ranjyotiprakash
Communicator
‎04-29-2012 11:09 PM

Thanks a lot Damien ... This works ...

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...