Splunk Search

regex fu (if contains : do this)

nickhills
Ultra Champion

Hey guys, this is one for any regex grand masters.

I have a field (snort_dst) which contains addresses in both these formats:

1.2.3.4
5.6.7.8:910

where :910 denotes the port number.
I have the following search, which splits the address into snort_dst_ip and snort_dst_port fields:

| rex field=snort_dst "(?<snort_dst_ip>[^:]+):(?<snort_dst_port>\S+)" 

This properly splits on the : but my values which are just IPs don't get matched, as they don't fit the :portnum regex.

What I need is something which will work in either situation, something like "if contains : do this, else do this", but my regex knowledge is still in its infancy.

If my comment helps, please give it a thumbs up!
Tags (2)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Put the section with a colon and the port in a group that you'll declare is optional:

(...)?

Try this.

| rex field=snort_dst "(?<snort_dst_ip>[^:]+)(:(?<snort_dst_port>\S+))?"

View solution in original post

sowings
Splunk Employee
Splunk Employee

Put the section with a colon and the port in a group that you'll declare is optional:

(...)?

Try this.

| rex field=snort_dst "(?<snort_dst_ip>[^:]+)(:(?<snort_dst_port>\S+))?"

nickhills
Ultra Champion

Thanks sowings, thats exactly what I needed. I knew it would be simple!

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...