Solved: Re: extract source_ip

tven7 · ‎09-27-2011

i have the following jboss http log entry

00.00.00.253 11.11.111.111 [27/Sep/2011:00:45:31 -0700] GET /xyz/images/spacer.png HTTP/1.1 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB7.1; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 1.1.4322; .NET4.0C; .NET CLR 3.0.30729)' 200 153 0

rex ="[\d+\.]+\s(?P<source_ip>[\d+\.]+)\s\[\d+"

I already tried specifying sourcetype as access_combined. splunk does not want to recognize the format correctly. So i am forced to extract with regex.

this wont work right for some reason and i cant extract source_ip. I am going after the 2nd ip on the line. what am i doing wrong?

cnk · ‎09-27-2011

Try removing the '=' before your regex. The rex command syntax is:

rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)

hence

rex "[\d+\.]+\s(?P<source_ip>[\d+\.]+)\s\[\d+"

View solution in original post

tven7 · ‎09-27-2011

Thank you. That fixed it. 🙂

cnk · ‎09-27-2011

Try removing the '=' before your regex. The rex command syntax is:

rex [field=<field>] (<regex-expression> [max_match=<int>] | mode=sed <sed-expression>)

hence

rex "[\d+\.]+\s(?P<source_ip>[\d+\.]+)\s\[\d+"

extract source_ip

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

extract source_ip

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud