Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction regex

EricPartington
Communicator
‎07-10-2010 02:20 AM

THis might be a bit difficult, but i want to try anyways... I am trying to aggrgate source and destination IP addresses across a few different device types. For all device types the src and dest ip addresses are valid IPV4 but one type can show Ip addresses in two formats.

192.168.1.1
or HOSTNAME1_192.168.1.2

the field looks like this when i want to extract it

src=192.168.1.1
or 
src=HOSTNAME1_192.168.1.2

in the lea-loggrabber-splunk/local/transforms.conf the kv extraction looks like this in this

[src_ip]
SOURCE_KEY=src
REGEX=(.*)
FORMAT=src_ip::$1

which means that I am trying to aggregate IPs that may or may not match.

Two part question: Is there a way to write a regex that will grab only the IP part from the string (either following the = or _ if the ip starts with HOSTNAME1_192.168.1.2)?

would the best way be to define a new field value for just the IP and one for the hostname HOSTNAME1_192.168.1.2 ->(hostname::$1)_(ip::$2)

secondly would this be best approached by a seperate transforms stanza and props.conf entry (REPORT-ip-extact = ) for the sourcetype([opsec])?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎07-12-2010 04:13 PM

Try the following 

[extract_hostnum_ip]
SOURCE_KEY=src
REGEX=(?:HOSTNAME(?<hostnum>\d+)_)?(?<ip>\d+\.\d+\.\d+\.\d+)

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎07-12-2010 04:13 PM

Try the following 

[extract_hostnum_ip]
SOURCE_KEY=src
REGEX=(?:HOSTNAME(?<hostnum>\d+)_)?(?<ip>\d+\.\d+\.\d+\.\d+)
Reply
Solved! Jump to solution

EricPartington
Communicator
‎07-26-2010 05:41 PM

would that line be added to props or transforms? My guess is props.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...