Splunk Search
Highlighted

Regex help!

Builder

Hi

How to extract the Ips from the below windows event both Client IP-1 and Client Ip-2

02/22/2017 09:05:24 AM
LogName=Security
SourceName=AD FS Auditing
EventCode=411
EventType=0
Type=Information
ComputerName=ADSFS.ab.com
User=add
Sid=1244
SidType=1
TaskCategory=None
OpCode=Info
RecordNumber=4033770
Keywords=Audit Failure, Classic
Message=Token validation failed. See inner exception for more details.

Additional Data

Activity ID: 00000000-0000-0000-0000-000000000000

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName

Client IP:
133.44.55.20.81,122.333.44.55.

Error message:
kiran@ab.com

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: kiran@ab.com
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

Tags (1)
0 Karma
Highlighted

Re: Regex help!

Contributor

Is this what you're looking for?

| rex field=_raw "(IP\:\s+|\d+\,)(?P<ClientIP>.*)."
| makemv delim="," ClientIP 

This should extract the IPs and separate them into their own values.

0 Karma
Highlighted

Re: Regex help!

Esteemed Legend

Like this (for IPV4):

... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+\.\d+\.\d+\.\d+)"

I do note that you have an IPV5 IP in your example???

0 Karma
Highlighted

Re: Regex help!

SplunkTrust
SplunkTrust

If IPV5 is in play, then you probably want

 ... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+\.\d+\.\d+\.\d+(\.\d+)?)"

or

 ... | rex max_match=0 "Client\s+IP:[\r\n\s\d\.\,]*(?<!\d)(?<Client_IP>\d+(\.\d+){3,4})"
0 Karma
Highlighted

Re: Regex help!

Esteemed Legend

Yes, I could have accommodated it but I figured it was a mistake/typo.

0 Karma