Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Patrick Swackhammer's Discussions
How do I migrate custom field extractions to my new Splunk server?
1 Reply
I just migrated all my warm buckets over to our new Splunk server (CentOS) from Windows. I have quite a few custom field extractions that I'd like to migrate over as well. How do I do…Continue
Tags: FieldExtraction, Linux, Migrate
Started this discussion. Last reply by Patrick Swackhammer Jul 20, 2010.
Regex For Identifying IP Addresses (To Extract Field)
13 Replies
I've tried and failed to extract the IP Address field such that it only includes sets of 4 numbers that are all separated by periods. The built-in Splunk Regex pattern generator always seems to tag…Continue
Started this discussion. Last reply by Michael Wilde Apr 6, 2010.
Error installing IMAP App
1 Reply
Trying to test out the IMAP app, but when I go in to add a mail server and login name, then save, I get this error?Encountered the following error while trying to update:…Continue
Started this discussion. Last reply by Patrick Swackhammer Mar 11, 2010.
Patrick Swackhammer's Page
Gifts Received
Patrick Swackhammer has not received any gifts yet
Latest Activity
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'How do I migrate custom field extractions to my new Splunk server?'
I got this answered over at Splunk Answers:
http://answers.splunk.com/questions/4864/how-do-i-migrate-custom-field-extractions-to-my-new-splunk-server
How do I migrate custom field extractions to my new Splunk server?
I just migrated all my warm buckets over to our new Splunk server (CentOS) from Windows. I have quite a few custom field extractions that I'd like to migrate over as well. How do I do that?Thanks,SwackSee More
Discussion posted by Patrick Swackhammer
Michael Wilde replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
James' question is answered over here.
http://splunkninja.com/forum/topics/need-regex-help-please
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
what about this?
index=* frominternet | rex field=_raw ".*?\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*" | fields + IP1, IP2 | head 3
note that this search filters only lines that contain…
Siegfried Puchbauer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Try this one:
(?\d+\.\d+\.\d+\.\d+)\(\d+\) \-> (?\d+\.\d+\.\d+\.\d+)\(\d+\)
it should extract the first ip as "src_ip" and the second one as "dest_ip"
Cheers, Siegfried
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
just a humble note.
I *ALWAYS* write a comment beside a regex, translating it step by step into "plain human readable".
The more verbose the documentation, the better.
I find regexes very risky; this comes together with their great power,…
Michael Wilde replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Thats pretty sweet... I like that idea of limiting it to between one and three characters. I've seen some other ones the limit it to the actual possible digits in an IP... i'm still trying to understand the cryptic nature of…
James Esposito replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Guys,
I found your thread and hope that you can help me with a similar extraction problem. Here is a single syslog entry I'm trying to extract a field:
Apr 3 15:04:55 adsl-068-153-219-120.sip.bct.bellsouth.net 6807: Router-1969: 006804: Apr 3…
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
pffff ... show me someone who says they "know everything" about regex and i will show you a liar.
glad to help :-)
Marcelo
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Great Marcelo! Thanks! I learn something new everyday! (Of course, it's not hard for me to learn something new about regular expressions.)
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Have you tried something like:
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
meaning:
(1 to 3 digits), (then a dot), (1 to 3 digits), (a dot), (1 to 3 digits), (dot), (1 to 3 digits).
HTH
Marcelo
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Thanks Ferry! I was able to get it working using this:
| rex "(?\d+\.\d+\.\d+\.\d+)"
Ferry Leirissa replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Oops paste errors....
* | rex "v630\/(?P\d+\.\d+\.\d+\.\d+)"
then you get the IP as a field,,hope this helps!
Cheers
Ferry
Ferry Leirissa replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Hai Patrick,
Guest you have to dig into the pre and postfix part :
(?i) accepted: (?P.*) means : search for accepted: and put everyting .* after that in FIELDNAME
Thist wil not work for the other example....based on that info you have to use…
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
FYI, I've tried
\d+\.\d+\.\d+\.\d+
but it doesn't find anything in the sample lines above.
Regex For Identifying IP Addresses (To Extract Field)
I've tried and failed to extract the IP Address field such that it only includes sets of 4 numbers that are all separated by periods. The built-in Splunk Regex pattern generator always seems to tag additional text or punctuation that makes it took specific. For instance, the pattern generator tells me to use this:(?i) accepted: (?P<FIELDNAME>.*) That works to find 172.25.97.121 in the line below:2010-03-16 09:46:57.288/[NioTCPListener, swiftlet=sys$jms, port=4001]/INFORMATION/connection…See More
Discussion posted by Patrick Swackhammer
Profile Information
- Are you an existing splunk user?
- Licensed
- What do you do for your day job?
- Network Engineer
Comment Wall
- No comments yet!
© 2012 Created by Michael Wilde.
