This is a log example:
2022-04-19 11:33:41 Local1.Info 10.0.6.1 Apr 19 12:34:20 FireboxM470_HA2 801002AA8CC3A FireboxM471_HA (2022-04-19T18:34:20) firewall: msg_id="3000-0151" Allow Firebox External-H udp 206.131.15.124 78.243.26.213 2267 53 geo_src="USA" geo_dst="USA" duration="36" sent_bytes="105" rcvd_bytes="121" (Any From Firebox-00)
I need to extract the src_ip (206.131.15.124 ) and the dst_ip (78.243.26.213). Splunk do not create a proper regex by itself, no matter how many examples I give. I am looking for a regex that matches the 2nd IP in the log, and another one for the 3rd one.
Till now, I have done this: "(\d{1,3}\.){3}\d{1,3}", wich matches the 3 IPs, but I don´t know how to select one of them.
And this: "(tcp|udp)\s((\d{1,3}\.){3}\d{1,3})" wich returns the second IP with the protocol, don't know how to remove the protocol and the space.
Does anyone knows how to extract those fields as new fields?
| rex "(?<src_ip>(\d{1,3}\.){3}\d{1,3})\s(?<dest_ip>(\d{1,3}\.){3}\d{1,3})"
| rex "(?<src_ip>(\d{1,3}\.){3}\d{1,3})\s(?<dest_ip>(\d{1,3}\.){3}\d{1,3})"