Creating a field with a regexp only returns the first () match, so you have to put the entire pattern inside one set of parentheses.
I've never found it necessary to be quite so pedantic about the form of the IP address. For examples: - regex_value: Failed password for root from ([\d\.]+) - regex_value: Invalid user [\d\w]+ from ([\d\.]+) - regex_value: ^.* for IP (\S+): - regex_value: ^.*from IP: (.+)"$ These are all taken from functional extractors on production inputs. Each pattern knows there will be an IP at a specific spot so I just grab that spot. If you really need a free-form IP match, I'd try with something like: ^.+\s+(\d+\.\d+\.\d+\.\d+)\s+.+ This will look for digits and periods in an IPv4 format, but doesn't bother with looking for impossible values, as I don't expect existing production applications to ever log such junk, and the complex regexp required is a performance drain I need to avoid. Note that getting this specific will only match an IPv4 format IP address, like the first two of my examples. The last two are general enough to match either v4 or v6 addresses, but they assume the address will be surrounded by expected keywords that serve as the pattern match boundaries. On Mon, Dec 19, 2016 at 11:26 AM, Marvin Popyk <[email protected]> wrote: > Hello, > > I'm trying to extract any IP address in a message like the following: > > haproxy[1193]: 10.3.1.111:49936 [19/Dec/2016:12:05:41.795] > > > Obviously the IP will change so i'd like an expression to pull any IP > address and dump it into a field. > > I have this expression but it only pulls the first digit: > > \b(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\ > d\d|[1-9]?\d)){3}\b > > > Any help would be appreciated. > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/graylog2/40015c6a-ceac-4710-bc69-b7eef4ebb92f%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/40015c6a-ceac-4710-bc69-b7eef4ebb92f%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGVfiNB_8qMjTnxSnbm0Hhosh1Btef2BEw1Cj%3DaqexX1mQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
