So what I’m trying to do is extract an ip address from my log - which seems simple enough until you realize there’s 4-5 of them in each log.
So essentially I want it to look for … which you would use regex .+ for that, at least I assume so. Then directly after those 3 dots extract the ip address.
Rule "Extract Source IP"
when
regex(\.+), "...".matches=true
then
extract the ipv4 address after those dots
set_field("src_ip, to_don'tknow.extractedipaddress")
end
It would be helpful if you could post a sample of the log you are trying to extract an IP address for. Otherwise, here is an untested pipeline rule that may get you what you need:
rule "Extract Source IP"
when
regex(".+?[.]{3}(\\d+\\.\\d+\\.\\d+\\.\\d+)", to_string($message.message)).matches == true
then
let m = to_string($message.message);
let fields = regex(".+?[.]{3}(\\d+\\.\\d+\\.\\d+\\.\\d+)", to_string($message.message), ["src_ip"]);
set_fields(fields);
end