Solved: Re: How to write the regex for multivalue field ex...

rubeniturrieta · ‎07-23-2015

Hi to everyone:

I have a single event with 15,394 lines, and i can't write a regular expression for a field extraction (a list of ip addresses), like it can be seen in the attachment.

I have this:

//// a lot of lines
servidores
{
and
{
or
{
ip
{
ip1
ip2
ip3
}
}
}
/// another lot of lines

And I need this:

field: ip
values: ip1, ip2 and ip3

How can I write this regular expression?

Any help, i'll be very grateful.

Regards

somesoni2 · ‎07-23-2015

Try something like this

Updated*

- props.conf
[YourSourcetype]
...other configurations...
EXTRACT-servidoresip = servidores([\r\n])\{([\r\n])and([\r\n])\{([\r\n])or([\r\n])\{\s*ip\s*\{(?<IP>[^\}]+)
REPORT-extract_ipaddresses = extract_ipaddresses


- transforms.conf
    [extract_ipaddresses]
SOURCE_KEY = IP
REGEX = (\d+\.\d+\.\d+\.\d)
FORMAT = ip::$1
MV_ADD = true

Sample test data used:

servidores1
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}
servidores
{
and
{
or
{
ip
{
 10.10.10.10
 11.11.11.11
 12.12.12.12
}
}
}
servidores2
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}

View solution in original post

somesoni2 · ‎07-23-2015

Try something like this

Updated*

- props.conf
[YourSourcetype]
...other configurations...
EXTRACT-servidoresip = servidores([\r\n])\{([\r\n])and([\r\n])\{([\r\n])or([\r\n])\{\s*ip\s*\{(?<IP>[^\}]+)
REPORT-extract_ipaddresses = extract_ipaddresses


- transforms.conf
    [extract_ipaddresses]
SOURCE_KEY = IP
REGEX = (\d+\.\d+\.\d+\.\d)
FORMAT = ip::$1
MV_ADD = true

Sample test data used:

servidores1
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}
servidores
{
and
{
or
{
ip
{
 10.10.10.10
 11.11.11.11
 12.12.12.12
}
}
}
servidores2
{
and
{
or
{
ip
{
 54.54.54.54
 55.55.55.55
 66.66.66.66
}
}
}

rubeniturrieta · ‎07-23-2015

Thank you very much someoni2, but I have several lists of IP addresses that correspond to different fields in the same event. How would it be then?

somesoni2 · ‎07-23-2015

So do you have any prefix or pattern before/after the list of IP you want to extract?

rubeniturrieta · ‎07-23-2015

Yes, in the example, the word "servidores" is identifier for the field, and the regular pattern is

"
and
{
or
{
ip
{
"

somesoni2 · ‎07-23-2015

See if the updated answer works for you. I'm extracting a temp field to get section servicedores and then getting a mv field with IP addresses present in it.

rubeniturrieta · ‎07-23-2015

Wow, thanks you somesoni2, but it doesn't works yet for me, but i think you are very close. Maybe something about space characters?

    servidores
    {
        and
        {
            or
            {
                ip
                {
                    168.88.13.6
                    168.88.11.164
                    168.88.13.29
                    168.88.13.39
                    168.88.13.60
                    168.88.13.150
                    168.88.13.115

rubeniturrieta · ‎07-23-2015

Yes, it was the space character. Thanks you very much somesoni2.

How to write the regex for multivalue field extraction (a list of IP addresses) for a very large event?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to write the regex for multivalue field extraction (a list of IP addresses) for a very large event?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25