I'm trying to extract IP (v4) addresses from different events. For instance, for an event such as:
[...] sent ping to 1.1.1.1:514 [...]
this rex command works just fine:
| rex field=_raw " (?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):"
and for events such as:
[...] paired node xxxxxx@2.2.2.2 [...]
this slightly changed regex works as well:
rex field=_raw"@(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
And so on. :) The problem is that these IP addresses are located in different places according to the type of events, so one rex command does not fit all patterns. Field extraction wizard for regular expressions also gets confused and only gets it right in some cases, but mostly gets it wrong.
Is there a way to tell rex to match pattern_1 OR pattern2 OR pattern3 and so on?
Or am I looking at this the wrong way?
↧