Solved: Regex for extracting ip port and interface - Page 2

jalfrey · ‎05-16-2013

In my log data I get lines that look like this:
dst=10.0.59.59:80:X1
dst=255.255.255.255:67:X0
dst=10.0.59.59:9060:X1
dst=0.0.0.0:0:X0
dst=224.0.0.5:1

The first value is an IP address. The next two values should be port number and interface. I did some field extractions and I can get it to extract all three fields if they are present but when it has only 2 fields it throws away the data. Could you help me write a field extraction regex to get the 2 field and 3 field variants.

the field names should be dst_ip, dst_port, dst_interface

kristian_kolb · ‎05-16-2013

Well, since there might not always be three fields to extract from the same piece of data, I'd do it in two EXTRACTs in props.conf

[your sourcetype]
EXTRACT-dst_ip_port = \s+dst=(?<dst_ip>[^:]+):(?<dst_port>\d+)
EXTRACT-dst_if = \s+dst=[^:]+:\d+:(?<dst_interface>\S+)

/K

View solution in original post

Regex for extracting ip port and interface

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation