Pipeline hangup

So what I’m trying to do is extract an ip address from my log - which seems simple enough until you realize there’s 4-5 of them in each log.
So essentially I want it to look for … which you would use regex .+ for that, at least I assume so. Then directly after those 3 dots extract the ip address.

Rule "Extract Source IP"
     regex(\.+), "...".matches=true
     extract the ipv4 address after those dots
set_field("src_ip, to_don'tknow.extractedipaddress")


I was going to suggest using GROK, but since there are 4-5 IP address, if I’m correct, I’m not sure.

Have you tried asking HowTo in Graylog Discord?

I found this, perhaps it will help.

It would be helpful if you could post a sample of the log you are trying to extract an IP address for. Otherwise, here is an untested pipeline rule that may get you what you need:

rule "Extract Source IP"
    regex(".+?[.]{3}(\\d+\\.\\d+\\.\\d+\\.\\d+)", to_string($message.message)).matches == true
    let m = to_string($message.message);
    let fields = regex(".+?[.]{3}(\\d+\\.\\d+\\.\\d+\\.\\d+)", to_string($message.message), ["src_ip"]);
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.