Dear all
I have a search that returns the description of the windows event and I would like to extract the IP address informed in the text. How can I use rex command to return only that IP address?
Field example:
The server-side authentication level policy does not allow the user XXXXX SID (XXXXX) from address 192.168.10.100 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
I would really appreciate it if someone could help me
Thanks
Br.,
Hi @renanxavier,
if the field is called message, you could run something like this:
<your_search>
| rex field=message "address\s+(?<ip>\d+\.\d+\.\d+\.\d+)"
| table _time message ip
you can test the regex at https://regex101.com/r/HSQISX/1
Ciao.
Giuseppe
Hi @renanxavier,
if the field is called message, you could run something like this:
<your_search>
| rex field=message "address\s+(?<ip>\d+\.\d+\.\d+\.\d+)"
| table _time message ip
you can test the regex at https://regex101.com/r/HSQISX/1
Ciao.
Giuseppe
Thank you so much @gcusello . It will be very helpful
Another question... How can I use regex to search the information that can come in other ways? Should I use conditions AND/OR? Let's suppose that this field can have the hostname (characters + numbers) or IP Address (numbers). How can I do this in the same regex?
The message should be:
...from address 192.168.10.100 to activate DCOM server...
OR
...from computer 192.168.10.100 to activate DCOM server...
OR
...from computer PCSCAX02 to activate DCOM server...
I can do this running regex three times with separated expression, but I think this is not a "smart way" to code 😕
Thanks
Br.,
Hi @renanxavier,
as @yuanliu said, this is a new question and it's better to create a new question to have a quicker and probably better answer.
And it's better, for the other people of Community, to have an accepted answer.
Anyway, you can use the Splunk search features or the regex command.
The best approach is to create a fixed extraction for your field and use this new fields in the main search.
Otherwise you can use the search command or the regex command.
To create a fixed field extraction, you can use the IFX or a regex,
Ciao.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
@renanxavier As @gcusello has given full solution to your original question, i.e., extract IP address, you should mark that answer as solution so this one is closed. Then if you have a different requirement, post new question.
Just as FYI, you can extract multiple values with one rex; in fact, if the message is structured (as certain types of logs often are), you can construct your expression based on that structure rather than based on characteristics of a particular component. For example, if I can make some assumptions about the structure of the messages, the following can extract various kinds of info in one command.
| rex " from (?<entity>\w+) (?<source>\S+) to (?<action>\w+) (?<type>\w+ server)"
Regex is extremely versatile and a lot of fun. gcusello's answer includes a great resource to experiment and learn more.