Solved: How to exract regex to my field

splunkn · ‎11-28-2014

I am having events like below,

E.g. 1 Nov 7 10:18:49 111.222.333.444 Success user=abc userid=123 account=xyz
E.g.2 Nov 7 10:18:49 Success user=sdf userid=234 account=asdf destip=111.222.333.444

In some events (E.g. 1 ) we are having Destintation IP after the timestamp
But in some events (E.g. 2) we are having DestinationIP in a separate field named destip

How to write a regex for this to extract a single field as DestIP?
Could anyone help me with this?

gfuente · ‎11-28-2014

Hello

Supposing that you only have one ip in each event you could extract it with this regex, no matter where it is located:

(?<destip>\d+\.\d+\.\d+\.\d+)

Regards

View solution in original post

gfuente · ‎11-28-2014

Hello

Supposing that you only have one ip in each event you could extract it with this regex, no matter where it is located:

(?<destip>\d+\.\d+\.\d+\.\d+)

Regards

gfuente · ‎11-28-2014

Ok, then use this one:

(\d\d\:\d\d\:\d\d\s|destip\=)(?<destip>\d+\.\d+\.\d+\.\d+)

splunkn · ‎11-28-2014

Many thanks 🙂

splunkn · ‎11-28-2014

Sad part is my events are having more than one IPs in event like sourceip,thirdpartyip 😞

How to exract regex to my field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!