Solved: regex help

surekhasplunk · ‎03-09-2020

Hi,

My sample code looks like below :

Mon Mar  9 14:18:14 2020: Unknown trap (.1.1.1.1.1..1) received from hostname.abcd.com at: 
Value 0: hostname.abcd.com
Value 1: 1.2.3.4
Value 2: 11.22.33.44

Another sample value is 

Mon Mar  9 13:38:23 2020: Unknown trap (.1.2.3.4.5.6) received from 19.19.19.19 at: 
Value 0: 19.19.19.19
Value 1: 4.4.4.4.4
Value 2: 12.13.14.15

Value 0: give me either the IP or the hostname .
I need to extract field called machine_name with the value of Value 0:

gcusello · ‎03-09-2020

Hi @surekhasplunk,
try this:

(?ms)Value\s+0:\s+(?<value0>[^ ]+)Value

that you can test at https://regex101.com/r/SlYtf3/1

Ciao.
Giuseppe

View solution in original post

gcusello · ‎03-09-2020

Hi @surekhasplunk,
try this:

(?ms)Value\s+0:\s+(?<value0>[^ ]+)Value

that you can test at https://regex101.com/r/SlYtf3/1

Ciao.
Giuseppe

surekhasplunk · ‎03-09-2020

Thanks @gcusello It worked 🙂

gcusello · ‎03-09-2020

You're welcome!
Ciao and next time.
Giuseppe

regex help

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

regex help

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple