Solved: How to extract new field IP with regex?

Madys · ‎04-20-2022

This is a log example:

2022-04-19 11:33:41 Local1.Info 10.0.6.1 Apr 19 12:34:20 FireboxM470_HA2 801002AA8CC3A FireboxM471_HA (2022-04-19T18:34:20) firewall: msg_id="3000-0151" Allow Firebox External-H udp 206.131.15.124 78.243.26.213 2267 53 geo_src="USA" geo_dst="USA" duration="36" sent_bytes="105" rcvd_bytes="121" (Any From Firebox-00)

I need to extract the src_ip (206.131.15.124 ) and the dst_ip (78.243.26.213). Splunk do not create a proper regex by itself, no matter how many examples I give. I am looking for a regex that matches the 2nd IP in the log, and another one for the 3rd one.

Till now, I have done this: "(\d{1,3}\.){3}\d{1,3}", wich matches the 3 IPs, but I don´t know how to select one of them.

And this: "(tcp|udp)\s((\d{1,3}\.){3}\d{1,3})" wich returns the second IP with the protocol, don't know how to remove the protocol and the space.

Does anyone knows how to extract those fields as new fields?

ITWhisperer · ‎04-20-2022

| rex "(?<src_ip>(\d{1,3}\.){3}\d{1,3})\s(?<dest_ip>(\d{1,3}\.){3}\d{1,3})"

View solution in original post

ITWhisperer · ‎04-20-2022

| rex "(?<src_ip>(\d{1,3}\.){3}\d{1,3})\s(?<dest_ip>(\d{1,3}\.){3}\d{1,3})"

How to extract new field IP with regex?

field extraction

regex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?