Stuck on regex question for Ad FS logs. I am trying to extract all ips following a field ("Client IP: ") in a AD FS log.
My log looks like this (truncated to save space):
10/02/2018 09:22:50 AM
LogName=Security
SourceName=AD FS Auditing
EventCode=411
EventType=0
Type=Information
ComputerName=*
User=*
Sid=*
SidType=1
TaskCategory=Printers
OpCode=Info
RecordNumber=*
Keywords=Audit Failure, Classic
Message=Token validation failed. See inner exception for more details.
Additional Data
Activity ID: 00000000-0000-0000-0000-000000000000
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
Client IP:
117.31.21.102,2603:1001:750:16::5
Error message:
*****
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: ******
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
So the end result desired is that I get both ip addresses under the field src_ip (so it is multivalue), and that it only tries the regex if it finds the EventCode=411 or 512, etc...
What I have so far is this:
(?ms)(?:\G(?!\A)\s*,\s*|EventCode=411\R.*?\R)\K(?P<src_ip>(?:\d{1,3}\.){3}(?:\d{1,3})|(?:::)?(?:[\dA-Fa-f]{1,4}:{1,2}){1,7}[\d%A-Fa-f.]*(?:::)?|::[\dA-Fa-f.]{1,15}|::) - which was helpfully provided by someone over at stackoverflow.
This works in regex101 and any other regex helper sites. However when applied to splunk it only snateches up the first ip. What am I missing her. I have tested each individual part independently(as much as I could) and they have worked.
Is there a problem with negative lookaheads in Splunk?
Any ideas?
... View more