Solved: RegEx AND / OR?

tmarlette · ‎11-07-2012

I am trying to extract an IP address into a field, however the same information occurs on two different logs, with two different logging methods.

I am attempting to extract the field with just one RegEx statement, but I can't seem to get the "AND" or "OR" portion of RegEx to recognize both data sets.

This is what I have:
src\s-\s(?\d+.\d+.\d+.\d+) OR DENIED\s-\s(?\d+.\d+.\d+.\d+)

I am attempting to extract the external IP address, from two different devices with 1 RegEx statement and put either 'hit' into the field "ext_ip".

here are the two message types:
DENIED - 10.10.10.10:8080 |
src - 10.10.10.10:8080

Does anyone know of a way to do this?

sowings · ‎11-07-2012

Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:

(DENIED|src)\s-\s(?<ip_here>\d+\.\d+\.\d+\.\d+)

View solution in original post

kml_uvce · ‎03-16-2013

Even you can solve the problem like this, you can give one same field with 2 diffrent extraction based on DENIED and src from splunk Web Gui.

Kamal Bisht

kamal singh bisht

eashwar · ‎03-16-2013

hey there i hope this would help you.

D?E?N?I?E?D?s?r?c?\s-\s(?<ext_ip>d+.d+.d+.d+):\d{4}

sowings · ‎03-18-2013

Note that your regex above would allow for many different prefixes before the IP and port, like:

DEDrc -
EIE -
Dc -
DD -
ENDs -

etc.

tmarlette · ‎11-07-2012

This worked perfectly!!! Thank you very much!

sowings · ‎11-07-2012

Given that that the difference is the prefix, and the formatting of the address is the same, I might do something like this:

(DENIED|src)\s-\s(?<ip_here>\d+\.\d+\.\d+\.\d+)

sowings · ‎11-08-2012

Consider accepting the answer if it helped you; in this way, others know that a good solution was found.

sowings · ‎11-07-2012

It treats the backslash as an escape character. To get one to print within the body of the text, you'll have to use two together.

axinjakson · ‎11-07-2012

You could try the built in Splunk extraction, since they are 2 different logs and logging methods, just extract the field "src_ip" in each, do a search including both log types and you will get the extracted results from both automagically.

http://docs.splunk.com/Documentation/Splunk/4.3.2/User/InteractiveFieldExtractionExample

tmarlette · ‎11-07-2012

in the above RegEx statements, it keeps removing the backslash, so simply assume they are there in the RegEx statement above. 😃

RegEx AND / OR?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation