Solved: Re: Regex to extract a filed

samble · ‎01-30-2020

How can I properly extract just the client that is doing the query from the below log entries. I noticed that on some log entries the word client is followed by @xxxxx characters and for some it doesn't. Splunk field extractions had the below extraction, but it adds the word client to some of the IP's. Any help is appreciated. Thanks.

^(?:[^ \n]* ){5}(?P[^#]+)

2020-01-30T12:50:39-05:00 173.12.5.49 named[15584]: client @0x7f74cc307f80 173.27.28.143#50046 (www.google.ru): query: www.google.ru IN A + (173.20.3.47)

2020-01-30T12:50:21-05:00 173.19.9.46named[15584]: 30-Jan-2020 12:50:21.069 client 173.24.28.149#50769: UDP: query: sync3.adsniper.ru IN A response: SERVFAIL +

nickhills · ‎01-30-2020

Hi @samble, assuming you just want the ip (not the @xxx) try this:

client\s(?:@\w+\s)?(?P<client>\d+\.\d+\.\d+\.\d+)
https://regex101.com/r/nXdirW/1

if you do want the @xxx
client\s?(?P<client>(?:@\w+\s)?\d+\.\d+\.\d+\.\d+)

If my comment helps, please give it a thumbs up!

View solution in original post

richgalloway · ‎01-30-2020

The regex works fine in regex101.com with the given sample data. Can you provide an example where "client" is included in the IP?

---
If this reply helps you, Karma would be appreciated.

samble · ‎01-30-2020

2020-01-30T12:50:21-05:00 173.19.9.46named[15584]: 30-Jan-2020 12:50:21.069 client 173.24.28.149#50769: UDP: query: sync3.adsniper.ru IN A response: SERVFAIL +

nickhills · ‎01-30-2020

Hi @samble, assuming you just want the ip (not the @xxx) try this:

client\s(?:@\w+\s)?(?P<client>\d+\.\d+\.\d+\.\d+)
https://regex101.com/r/nXdirW/1

if you do want the @xxx
client\s?(?P<client>(?:@\w+\s)?\d+\.\d+\.\d+\.\d+)

If my comment helps, please give it a thumbs up!

Regex to extract a filed

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes