Splunk Search
Highlighted

is $ supported in regex for field extraction ?

Path Finder

I've got the following log line and I wish I could extract the last IP address field:

.................(variable number of fields)....."N/A","N/A","xxx.xxx.xxx.xxx"

I used to think that something like the following should have worked

(?P‹lastIP›\d+.\d+.\d+.\d+$)

Tags (3)
0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

SplunkTrust
SplunkTrust

The $ represent the end of a line in multi-lin, so it should work if that IP is the end of the line..

But why use a dollar sign?

Try this

(?P<IP_Name>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

This will say look for a digit who's length is from 1-3 digits followed by a . follow by 1-3 digits, then a ., then 1-3 digits, then a . follow by 1-3 digits

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

Contributor

You forgot the 1, for the last two \d 🙂
I think the anchor might be needed if there are other IP addresses in the same event.

Highlighted

Re: is $ supported in regex for field extraction ?

SplunkTrust
SplunkTrust

Whoops, thanks for pointing that out. Yes true, if he has multiple unique IP addresses then he could use a dollar sign or a lookbehind

(?P<LastIP>(?<=N\/A\"\,\")\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

Contributor

Yes, but you can't expect the previous field to always have the N/Avalue, so I believe a $would be more appropriate.

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

Path Finder

(?P\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) match the first IP adress found in my log line 😞
adding $ (outside or inside parethesis) breaks any match

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

SplunkTrust
SplunkTrust

Can you provide us with a few more lines of sample data? Is there always an NA value in front of the IP or can it vary?

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

Path Finder

I've attached a three events file sample

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

Splunk Employee
Splunk Employee

Try moving the $ outside of the parenthesis.

,"(?P‹lastIP›\d+.\d+.\d+.\d+)"$

0 Karma
Highlighted

Re: is $ supported in regex for field extraction ?

Contributor

I think that's the solution. Judging by the example lauMarot gave, the IP is followed by a double quote before the actual end of line.

0 Karma