All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction Stops Working

corwinz6
Explorer
‎11-12-2012 01:18 PM

I want to associate the IP address included in the logs that refers to the device the log came from to a field. i.e: 

Nov 12 16:04:21 x.x.x.x date=2012-11-12 time=16:03:21

where x.x.x.x is the IP I want included in the new field. When I use the interactive field extractor sometimes it gives me:

(?i)^(?:[^ ]* ){3}(?P<FIELDNAME>[^ ]+)

which works for a week or two and then stops.

If I use the extractor again it then gives me a slightly different output of: 

(?i)^(?:[^ ]* ){4}(?P<FIELDNAME>[^ ]+)

This one then works for a time and I have to end up changing it back to the {3} extraction and so on. I'm not very regex savvy, is there someone who could assist me with a regex string that will consistently grab that field?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-13-2012 12:09 AM

The field extractor regex basically counts the number of spaces before the IP. During the first nine days of the month there is an extra space, compare:

Nov  9 01:02:03 x.x.x.x
Nov 10 01:02:03 x.x.x.x

However, what you want is "three words before the IP", not "three (or four) spaces before the IP". Try something like this untested extraction:

^(?:[^\s]+\s+){3}(?P<FIELDNAME>(\d{1,3}\.){3}\d{1,3})

This looks for "positive number of non-spaces followed by positive number of spaces" (read: "words") three times, then picks out the IP while taking the decimal notation into account. Note, this would allow invalid IPs such as "999.999.999.999".

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-13-2012 12:09 AM

The field extractor regex basically counts the number of spaces before the IP. During the first nine days of the month there is an extra space, compare:

Nov  9 01:02:03 x.x.x.x
Nov 10 01:02:03 x.x.x.x

However, what you want is "three words before the IP", not "three (or four) spaces before the IP". Try something like this untested extraction:

^(?:[^\s]+\s+){3}(?P<FIELDNAME>(\d{1,3}\.){3}\d{1,3})

This looks for "positive number of non-spaces followed by positive number of spaces" (read: "words") three times, then picks out the IP while taking the decimal notation into account. Note, this would allow invalid IPs such as "999.999.999.999".

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...