Solved: Regex to match lines with multiple src_ip

saurabhkharkar · ‎09-03-2021

Hello,

To pull in specific events in splunk i am trying to write a regex to identify lines that matches both the conditions

1: app_protocol=http or https

2. src_ip = starts with 15. or 16.

This is what i have , but doesnt seem to be working , am i doing somting wrong ?

.*app_protocol=HTTP|S\s.*(src_ip\=15\.\d+\.\d+\.\d+|16.\.\d+\.\d+\.\d+)*

hoaxm3 · ‎09-03-2021

May want to paste in a raw log for testing, but you can give this a go:

(?i)app_protocol=https?.*?src_ip=(15|16)\.\d{1,3}\.\d{1,3}\.\d{1,3}

hoaxm3 · ‎09-03-2021

May want to paste in a raw log for testing, but you can give this a go:

(?i)app_protocol=https?.*?src_ip=(15|16)\.\d{1,3}\.\d{1,3}\.\d{1,3}

Regex to match lines with multiple src_ip