Solved: How to create two new fields from a single field?

bt149 · ‎03-24-2023

I have a log set from FW's. These logs have a field called "src." From what I can tell, this field is populated with values such as:
FQDN (myhost.mydomain.com)
Console or telnet
10.0.0.1

I'm looking to have two fields created from the "src" field, one name IP if the value in "src" is an IP and "src_nt_host" if the value is not an ip_address. A small sample from the logged event:

From: Console or telnet.
From: myhost.mydomain.com.
From: 10.0.0.1.

Any help / guidance is greatly appreciated.

gcusello · ‎03-24-2023

HI @bt149 ,

Sorry, please try this:

<your_search>
| rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)"
| eval src_nt_host=if(isnull(ip),src,"")

that I tested

Ciao.

Giuseppe

View solution in original post

bt149 · ‎03-24-2023

Thank you but that didn't do the trick.

gcusello · ‎03-24-2023

HI @bt149 ,

Sorry, please try this:

<your_search>
| rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)"
| eval src_nt_host=if(isnull(ip),src,"")

that I tested

Ciao.

Giuseppe

bt149 · ‎03-25-2023

Thank you Giuseppe! This worked well.

gcusello · ‎03-24-2023

Hi @bt149 ,

you could try something like this:

<your_search>
| rex field=src "(?<ip>\d+\.\d+\.\d+\.\d+)"
| eval src_nt_host=if(isempty(ip),src,"")
| ...

Ciao.

Giuseppe

How to create two new fields from a single field?

rex

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!