0

I have some data I like to analyze using Splunk. Data is in the follwoing format.

18.02.2016 13:55:55 01D4 PACKET  014D4198 UDP Snd 10.10.10.148    9e8b R Q [8081   DR  NOERROR] A     (5)rover(4)ebay(3)com(0)
18.02.2016 13:55:27 01C4 PACKET  014E1E38 UDP Rcv 10.10.10.160    fa2b   Q [0001   D   NOERROR] A     (2)ib(5)adnxs(3)com(0)

I need various part inn to named group using regex.

Example to get the IP, I have the folloing:

(Snd|Rcv)\s(?<ip>\d+\.\d+\.\d+\.\d+)\s

That gives:

ip 10.10.10.148
ip 10.10.10.160

But how to get the URL to one named group like this:

url rover.ebay.com
url ib.adnxs.com

I thought using Non-Capturing Groups within a named Capturing Groups, but that is clearly not correct:

\(\d+\)(?<url>\w+(?:\(\d+\))\w+(?:\(\d+\))\w+(?:\(\d+\)))

Not working.

PS url may not be in vaious length, so that should be handled as well.

(2)ib(5)adnxs(3)com(2)br(0)
Jotne
  • 40,548
  • 12
  • 51
  • 55
  • 1
    I guess you need to replace: [`\s\(\d+\)([^()]+)\(\d+\)([^()]+)\(\d+\)([^()]+)\(\d+\)$` --> `url $1.$2.$3`](https://regex101.com/r/tT5xP2/1). Or - if their number is varied, use [`\s\(\d+\)\K(?:[^()\n]+\(\d+\))+$`](https://regex101.com/r/tT5xP2/3) to match the substrings, and then replace `\(\d+\)` with `.`? – Wiktor Stribiżew Feb 18 '16 at 20:45
  • @WiktorStribiżew This will the be locked to 3 part. I am not sure how to do it with multiple lines as well. Need it one line. – Jotne Feb 18 '16 at 21:19

0 Answers0