splunkninja

The dojo of Splunk. Learn, share, teach, mentor.

Patrick Swackhammer
  • Male
  • Saint Louis, MO
  • United States
Share
Share on Twitter
Share on Facebook

Patrick Swackhammer's Discussions

How do I migrate custom field extractions to my new Splunk server?
1 Reply

I just migrated all my warm buckets over to our new Splunk server (CentOS) from Windows. I have quite a few custom field extractions that I'd like to migrate over as well.  How do I do that?Thanks,Sw…

Tagged: FieldExtraction, Linux, Migrate

Started this discussion. Last reply by Patrick Swackhammer Jul 20.

Regex For Identifying IP Addresses (To Extract Field)
13 Replies

I've tried and failed to extract the IP Address field such that it only includes sets of 4 numbers that are all separated by periods.  The built-in Splunk Regex pattern generator always seems to tag…

Started this discussion. Last reply by Michael Wilde Apr 6.

Error installing IMAP App
1 Reply

Trying to test out the IMAP app, but when I go in to add a mail server and login name, then save, I get this error? Encountered the following error while trying to update: https://127.0.0.1:8089/serv

Tagged: Error, Apps, App, IMAP

Started this discussion. Last reply by Patrick Swackhammer Mar 11.

 

Patrick Swackhammer's Page

Gifts Received

Gift

Patrick Swackhammer has not received any gifts yet

Give Patrick Swackhammer a Gift

Latest Activity

Patrick Swackhammer replied to Patrick Swackhammer's discussion 'How do I migrate custom field extractions to my new Splunk server?'
I got this answered over at Splunk Answers: http://answers.splunk.com/questions/4864/how-do-i-migrate-custom-field-extractions-to-my-new-splunk-server
July 20
Patrick Swackhammer added a discussion
How do I migrate custom field extractions to my new Splunk server?
I just migrated all my warm buckets over to our new Splunk server (CentOS) from Windows. I have quite a few custom field extractions that I'd like to migrate over as well.  How do I do that?Thanks,Swack
July 20
Michael Wilde replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
James' question is answered over here. http://splunkninja.com/forum/topics/need-regex-help-please
April 6
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
what about this? index=* frominternet | rex field=_raw ".*?\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\s(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*" | fields + IP1, IP2 | head 3 note that this search filters only lines that contain "frominternet" then c…
April 6
Siegfried Puchbauer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Try this one: (?\d+\.\d+\.\d+\.\d+)\(\d+\) \-> (?\d+\.\d+\.\d+\.\d+)\(\d+\) it should extract the first ip as "src_ip" and the second one as "dest_ip" Cheers, Siegfried
April 6
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
just a humble note. I *ALWAYS* write a comment beside a regex, translating it step by step into "plain human readable". The more verbose the documentation, the better. I find regexes very risky; this comes together with their great power, i suppose…
April 6
Michael Wilde replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Thats pretty sweet... I like that idea of limiting it to between one and three characters. I've seen some other ones the limit it to the actual possible digits in an IP... i'm still trying to understand the cryptic nature of them. (([2]([0-4][0-9]|…
April 6
James Esposito replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Guys, I found your thread and hope that you can help me with a similar extraction problem. Here is a single syslog entry I'm trying to extract a field: Apr 3 15:04:55 adsl-068-153-219-120.sip.bct.bellsouth.net 6807: Router-1969: 006804: Apr 3 15:0…
April 3
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
pffff ... show me someone who says they "know everything" about regex and i will show you a liar. glad to help :-) Marcelo
March 23
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Great Marcelo! Thanks! I learn something new everyday! (Of course, it's not hard for me to learn something new about regular expressions.)
March 23
Marcelo Finkielsztein replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Have you tried something like: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} meaning: (1 to 3 digits), (then a dot), (1 to 3 digits), (a dot), (1 to 3 digits), (dot), (1 to 3 digits). HTH Marcelo
March 23
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Thanks Ferry! I was able to get it working using this: | rex "(?\d+\.\d+\.\d+\.\d+)"
March 17
Ferry Leirissa replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Oops paste errors.... * | rex "v630\/(?P\d+\.\d+\.\d+\.\d+)" then you get the IP as a field,,hope this helps! Cheers Ferry
March 17
Ferry Leirissa replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
Hai Patrick, Guest you have to dig into the pre and postfix part : (?i) accepted: (?P.*) means : search for accepted: and put everyting .* after that in FIELDNAME Thist wil not work for the other example....based on that info you have to use someh…
March 17
Patrick Swackhammer replied to Patrick Swackhammer's discussion 'Regex For Identifying IP Addresses (To Extract Field)'
FYI, I've tried \d+\.\d+\.\d+\.\d+ but it doesn't find anything in the sample lines above.
March 16
Patrick Swackhammer added a discussion
Regex For Identifying IP Addresses (To Extract Field)
I've tried and failed to extract the IP Address field such that it only includes sets of 4 numbers that are all separated by periods.  The built-in Splunk Regex pattern generator always seems to tag additional text or punctuation that makes it took…
March 16

Profile Information

Are you an existing splunk user?
Licensed
What do you do for your day job?
Network Engineer

Comment Wall

You need to be a member of splunkninja to add comments!

Join splunkninja

  • No comments yet!
 
 
 

Videos

Latest Splunk Community Postings

Latest Splunk Forum Posts

Adding additional servers to *Nix app?

Create new Field and Assign existing field in transforms.conf

How do I remove Sources?

Clear Windows Logs?

Create new Field and Assign existing field in transforms.conf

© 2010   Created by Michael Wilde.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!