Hello, I have logs coming in that look like the following:
(Tab between columns)
server1.something.com ApacheLog 0 10.0.0.1
server2.something.com ApacheLog 0 10.0.0.2
server3.something.com GenericLog 0 0 0 0
server4.something.com GenericLog 0 0 0 0
Using the IPs to have splunk generate a pattern results in this regex:
(?i)^(?:[^\t]*\t){3}(?P<FIELDNAME>[^ ]+)
The IP will be in the same place every time ApacheLog is present... so basically I want my RegEx to be something like the following which doesn't work:
^*\t*ApacheLog*\t*\t(?P<FIELDNAME>[^ ]+)
Any assistance would be appreciated.
Thanks,
John
Hi John,
Try the following regex:
\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})
You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:
|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"
Hi John,
Try the following regex:
\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})
You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:
|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"
Perfect, thanks!
Using the interactive field extractor, the syntax its looking for will be slightly different. Try the following there:
.*\s+ApacheLog\s+\d\s+(?P<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})
This works in the search field however when I attempt to edit the pattern in "Extract Fields" I get a "Invalid regex: syntax error". Any thoughts there?
Thanks!