How can I properly extract just the client that is doing the query from the below log entries. I noticed that on some log entries the word client is followed by @xxxxx characters and for some it doesn't. Splunk field extractions had the below extraction, but it adds the word client to some of the IP's. Any help is appreciated. Thanks.
^(?:[^ \n]* ){5}(?P[^#]+)
2020-01-30T12:50:39-05:00 173.12.5.49 named[15584]: client @0x7f74cc307f80 173.27.28.143#50046 (www.google.ru): query: www.google.ru IN A + (173.20.3.47)
2020-01-30T12:50:21-05:00 173.19.9.46named[15584]: 30-Jan-2020 12:50:21.069 client 173.24.28.149#50769: UDP: query: sync3.adsniper.ru IN A response: SERVFAIL +
Hi @samble, assuming you just want the ip (not the @xxx) try this:
client\s(?:@\w+\s)?(?P<client>\d+\.\d+\.\d+\.\d+)
https://regex101.com/r/nXdirW/1
if you do want the @xxx
client\s?(?P<client>(?:@\w+\s)?\d+\.\d+\.\d+\.\d+)
The regex works fine in regex101.com with the given sample data. Can you provide an example where "client" is included in the IP?
2020-01-30T12:50:21-05:00 173.19.9.46named[15584]: 30-Jan-2020 12:50:21.069 client 173.24.28.149#50769: UDP: query: sync3.adsniper.ru IN A response: SERVFAIL +
Hi @samble, assuming you just want the ip (not the @xxx) try this:
client\s(?:@\w+\s)?(?P<client>\d+\.\d+\.\d+\.\d+)
https://regex101.com/r/nXdirW/1
if you do want the @xxx
client\s?(?P<client>(?:@\w+\s)?\d+\.\d+\.\d+\.\d+)