Splunk Search

SYSLOG - Regex Help needed - selecting second of two IP addresses.

TheMarkHodgkins
Explorer

Hi all,

I have syslog data coming in - it features a src and dst IP address but how can I write a regex to select only the second IP address?

Only been doing regex for a week so any help is gratefully received 😆

Thanks

Mark

Tags (1)
1 Solution

Ayn
Legend

Write a regex that matches an IP address twice, but only include the second one in a matching group. Using the rex command this regex should give you the IP address you want:

... | rex "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+?(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

View solution in original post

TheMarkHodgkins
Explorer

Ah brilliant have done and award reputation points.

Thanks 😆

Mark

TheMarkHodgkins
Explorer

Not sure my interpretation was correct LOL

in the field extractor I amended the rex to look like this.

(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}.+?(?P\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}))

but I got

Invalid regex: no named extraction at position 0 (i.e., "(\d{1,3}...."). Expected "(?Ppattern)"

Looks like finally working like this 😆

rex "((?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).+?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))"

Cheers - you're an inspiration 😆

Ayn
Legend

That's because you started off with a leading paranthesis which tells Splunk it should create a matching group, but you never assign a name to the group which is an error.

Anyway great if you got it working! Could you please mark my answer as accepted? Thanks!

Ayn
Legend

Write a regex that matches an IP address twice, but only include the second one in a matching group. Using the rex command this regex should give you the IP address you want:

... | rex "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.+?(?<ip_addr>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...