Solved: Re: Regex field extraction question

MAMAOUI · ‎11-15-2017

Hi

I have this log format for extracting

Sep 01 09:55:11 @ipdest HSL: @ip1:port1 <-> @ip2:port2 | @ip3:port3 <-> @ip4:port4

REGEX = (?\S+\s+\d+ \d+:\d+:\d+) (?\d+.\d+.\d+.\d+)[^[]HSL: (?<@ip1>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip2>\d+.\d+.\d+.\d+):(?\S+) | (?<@ip3>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip4>\d+.\d+.\d+.\d+):(?\S+)

I would like to extract everything , but in my results, all fields were exctracted except whose after pipe | (@ip3:port3 <-> @ip4:port4).
Any help much appreciated.
Thankyou.

micahkemp · ‎11-15-2017

The | character acts as an OR in regex. If you would like to match a literal | escape it: \|.

REGEX = (?\S+\s+\d+ \d+:\d+:\d+) (?\d+.\d+.\d+.\d+)[^[]HSL: (?<@ip1>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip2>\d+.\d+.\d+.\d+):(?\S+) \| (?<@ip3>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip4>\d+.\d+.\d+.\d+):(?\S+)

View solution in original post

micahkemp · ‎11-15-2017

The | character acts as an OR in regex. If you would like to match a literal | escape it: \|.

REGEX = (?\S+\s+\d+ \d+:\d+:\d+) (?\d+.\d+.\d+.\d+)[^[]HSL: (?<@ip1>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip2>\d+.\d+.\d+.\d+):(?\S+) \| (?<@ip3>\d+.\d+.\d+.\d+):(?\S+) <-> (?<@ip4>\d+.\d+.\d+.\d+):(?\S+)

cpetterborg · ‎11-15-2017

You also better escape the periods in your IP addresses - \.. A period will match almost any character of not escaped. Depending on your data, that could be a problem, but likely in this case it won't. But it will parse more quickly if you escape them, which is a side benefit.

MAMAOUI · ‎11-15-2017

Hello ,

Thank you, It works now,I added the \ before the |.

Meryem

Regex field extraction question

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!