Solved: How to use regex determine whether a field is an I...

xsstest · ‎04-18-2017

I extracted a field named "apche_zhuji_sip", but the content is not accurate, some are not IP, how do I use regular expressions to filter non-IP content

DalJeanis · ‎04-18-2017

It will be something like this

(your extract)
| regex apche_zhuji_sip="^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"

That's the basic, simple version that makes sure the IP has 1-3 numeric digits. You could also do a more complicated version that limits the nodes to 001-255...

| regex apche_zhuji_sip="(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3} (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

View solution in original post

DalJeanis · ‎04-18-2017

It will be something like this

(your extract)
| regex apche_zhuji_sip="^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"

That's the basic, simple version that makes sure the IP has 1-3 numeric digits. You could also do a more complicated version that limits the nodes to 001-255...

| regex apche_zhuji_sip="(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3} (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

How to use regex determine whether a field is an IP address

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

How to use regex determine whether a field is an IP address

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard