Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I parse out both the Named Address and IP Address and format them into an Extracted Field?

justdan23
Path Finder
‎07-24-2019 12:38 PM

The log entry I have has:

Message=DNS query is completed for the name my.big.server.name.com, type 28, query options 1073897472 with status 0 Results ::ffff:10.2.1.20

How can I extract both the Named Address and IP Address into one Extracted Field with the value:

my.big.server.name.com (10.2.1.20)

The UI gives me an option to provide my own regex, but it clips the text:

DNS query is completed for the name (?P <dns_lookup>[^\, type]+)
Tags (1)
0 Karma
Reply

Vijeta
Influencer
‎07-24-2019 01:35 PM

@justdan23

You can use the rex commands and get final output by concatenating .

<your query>| rex field=_raw "\s+(?<domain>\w+\.\w+\.\w+\.\w+\.\w+)"| rex field=_raw "\S+:(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"| eval fname=domain+" "+ip
0 Karma
Reply

justdan23
Path Finder
‎07-24-2019 12:40 PM

Note: The code block in this interface adds the numbers when trying to block a data sample.

Is there a better way for me to format this?

The Preview doesn't show the numbers before I posted it.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...