Solved: Re: How to write a RegEx to extract the IP address...

draracle · ‎09-12-2016

Currently I am extracting the URL and reverse IP address (D.C.B.A) from a DNS-related event. I would like to capture the IP address in the opposite order (A.B.C.D). I heard this may be possible with sed mode and or the use of backreferences but I haven't had any luck getting this to work. I have included a sample event and output below.

Please advise how to capture the reverse IP during field extraction. If this is not possible at the time of field extraction please advise how to output the desired result during a regular search (which could be used for a Dashboard).

RegEx:

^[^"\n]*"\w+\s+\w+\s+\w+\s+\w+\s+(?P<msg_domain>\w+\.\w+\s+\[\w+\])[^\.\n]*\.(?P<msg_revIP>\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)

Fields Currently Extracted:
msg_domain=urlofinterest.com
msg_revIP=D.C.B.A

Desired Field Extracted:
msg_domain=urlofinterest.com
msg_revIP=A.B.C.D

Thanks

sundareshr · ‎09-12-2016

The following SED expression will reverse the IP order. It does not capture,. but it will replace it with the reverse order

... | rex mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

*UPDATED*

... | eval rev_IP=IP | rex field=rev_IP mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

View solution in original post

sundareshr · ‎09-12-2016

The following SED expression will reverse the IP order. It does not capture,. but it will replace it with the reverse order

... | rex mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

*UPDATED*

... | eval rev_IP=IP | rex field=rev_IP mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/\4.\3.\2.\1/g"

ChrisBell04 · ‎05-08-2019

Slight tweak to that extraction (using Splunk_TA_infoblox v1.1.0 as the starting point). Will extract the rpz into a new field by itself.

index=infoblox sourcetype=infoblox:dns dns_rpz_policy_action="*" urlofinterest.com 
| eval rev_ip=dns_rpz_reponse_query
| rex field=rev_ip mode=sed "s/(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}).rpz/\5.\4.\3.\2/g"

draracle · ‎09-12-2016

I cannot get this to work. I am trying to extract the field. If there is a way to perform a search and change msg_revIP to a new field with this search please provide additional information. Thanks

sundareshr · ‎09-12-2016

So if I understand you right, you want two fields one with IP and other with rev_IP. Right? Try the updated search

draracle · ‎09-13-2016

Thanks, with a slight modification to the fields, this did the trick!

shivarpith · ‎12-30-2016

hey i have the same issue, can you share what worked for you 🙂

How to write a RegEx to extract the IP address in reverse order?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?