You can do this - here's a simple example where the lookup regexes.csv contains two rows, the first with an IPv6 regex and the second with an IPv4, i.e. made with this SPL | makeresults
| fields - ...
See more...
You can do this - here's a simple example where the lookup regexes.csv contains two rows, the first with an IPv6 regex and the second with an IPv4, i.e. made with this SPL | makeresults
| fields - _time
| eval regex=split("([A-Za-z0-9]{1,4}:){7}##([0-9]{1,3}\.){3}[0-9]{1,3}", "##")
| mvexpand regex
| fields regex
| outputlookup regexes.csv This SPL then creates 3 ip values and matches them against the regexes | makeresults
| fields - _time
| eval ipv4="bla 10.1.2.3 bla"
| eval ipv6="bla 2021:1431:aaaa:bbbb:cccc:dddd:1234:0 bla"
| eval ipvbad="bla not an ip address bla"
``` Show how the regexes are evaluated ```
| eval regexes=[ | inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\"" | return $regex ]
| foreach ipv* [ | eval ipv<<MATCHSTR>>_match_direct_from_lookup=if(match(<<FIELD>>, [ | inputlookup regexes.csv | stats values(regex) as regex | eval regex="\"(".mvjoin(regex, "|").")\"" | return $regex ]), 1, 0),
ipv<<MATCHSTR>>_match_from_field=if(match(<<FIELD>>, regexes), 1, 0)
]
| transpose 0 You can see the ipv4 and 6 match but the bad one does not.