Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a regex improvement

tinylund
Explorer
‎09-29-2021 11:21 AM

| rex field=_raw "(?<dscvIP>[^\.]\d+\.\d+\.\d+\.\d+[\s|\:])"

Using the above rex command to try to capture IP addresses, an it works most of the time, but I still get a few false positives for ESX log entries that contain the following

Rcv-tx-10.20.30.45.78.80

The rex field captures 30.45.78.80 as the dscvIP field. I thought by adding the [^\.] to the beginning of the regex match it would not capture an string matching the IP syntax that had a period(.) immediately preceding the string. And I also thought this string would be skipped all together because for it to not start with a period(.) , the match would have to go to the dash(-) following tx, but then would not match because there is not a space or colon after the 4th \d+ match.

What am 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-29-2021 11:45 AM

Well. The typical regex used often to capture IP addresses is \d{1,3}\.\d{1,3}\.\d{1,3}\d{1,3}

Unfortunately, it doesn't validate the validity of the captured addres and accepts values over 255. It can be improved but it quickly gets ugly

((1?\d{1,2})|2([0-4]\d|5[0-5]))\d((1?\d{1,2})|2([0-4]\d|5[0-5]))\d((1?\d{1,2})|2([0-4]\d|5[0-5]))\d((1?\d{1,2})|2([0-4]\d|5[0-5]))

Something like that - I'm writing it on the fly so can't guarantee correctness 😉 Regex is not very well suited for matching IP's

Anyway, if you want to capture just the four octet sequence with a guarantee that it's not preceedee or continued by any dot-delimited sequence, you might want to match (^|[^.]) at the beginning and ($|[^.]) at the end (you don't escape the dot in character set)

So effectively (in the simple - non-validating form) you end up with

(^|[^.])(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})($|[^.])
0 Karma
Reply

tinylund
Explorer
‎09-29-2021 11:33 AM

date FQN date:time FQN vmkernel: cpu16:66435)CpuSched: 694: user latency of 418901 RPC-tx-10.20.30.45.78.80 0 changed by 66435 NFSv3-RemountHandler -6

0 Karma
Reply

ashvinpandey
Contributor
‎09-29-2021 11:46 AM

@tinylund Please try using the below rex:

| rex field=_raw "RPC-tx-(?P<dscvIP>.*?)\s"

Also, If this reply helps you, an upvote would be appreciated.

0 Karma
Reply

tinylund
Explorer
‎09-29-2021 11:55 AM

This is just the raw log that fails, the above rex finds the correct combination in other logs, so I don't want to single out the RPC-tx- (this solution doesn't resolve the issue)

0 Karma
Reply

ashvinpandey
Contributor
‎09-29-2021 11:27 AM

@tinylund Can you share the raw event ?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...