Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REGEX in transform.conf using "^" to specify the begining does not work

aferchichi
New Member
‎10-17-2013 03:45 AM

Hi,

I specified the following in transforms.conf

SOURCE_KEY = MetaData:Host
REGEX = ^8\.\d{1,3}\.\d{1,3}\.\d{1,3}$
DEST_KEY = _MetaData:Index
FORMAT = special_index

This should noramlly match host like 8.23.15.12, but it does not work. And if a remove the "^" it will match but it will also match 18.23.15.12 which I do not want. It seems that the "beging with" is not working... Is this a bug? is there a way to circumvent it?
Thanks for your help,

Azim

0 Karma
Reply

nunoaragao
Path Finder
‎05-12-2021 04:30 AM

Maybe not working because SOURCE_KEY = MetaData:Host will return

host::

at the begging of the string.
Maybe change REGEX to either

REGEX = ^host\:\:8\.\d{1,3}\.\d{1,3}\.\d{1,3}
REGEX = (?<!\d)8\.\d{1,3}\.\d{1,3}\.\d{1,3}

 

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 04:56 AM

Thanks
but it does not work neither...

Any other suggestions?

Azim

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 04:29 AM

You could try this REGEX:

^8\.\d{1,3}\.\d{1,3}\.\d{1,3}

Dropping the $ might help, since you don't really care about the end of the string, just the beginning.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-17-2013 07:35 AM

Some of the other metadata fields have a hidden prefix of the name of the field itself, so it could be host::8.x.y.z

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 06:44 AM

In fact, I think the Host variable extracted has some non viewable characters before the digits (maybe a space), that's why it did not match the "begin with 8" expression ^8.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 06:24 AM

I checked that regex here: http://gskinner.com/RegExr/, with these IPs:

128.3.2.4
8.4.3.2
18.3.4.5

And it only matches the 8.4.3.2 IP.

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 06:20 AM

Thanks again... But here you must have something before the number "8", like a8.4.5.7 and therefore will not match the 8.4.5.7

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 05:33 AM

[^0-9]{1,2}[^0-79]{1}\.\d{1,3}\.\d{1,3}\.\d{1,3} . Not sure why it's not picking up the "^".

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 05:28 AM

Thanks but it leads to the same result... Your expression will also match 18.2.3.4 ... Which I dont want. It really seams that splunk is not capable of interpreting the begining of a string "^".

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2013 05:08 AM

[^0-79]{1}\.\d{1,3}\.\d{1,3}\.\d{1,3} ?

0 Karma
Reply

aferchichi
New Member
‎10-17-2013 04:57 AM

Thanks
but it does not work neither...

Any other suggestions?

Azim

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...