Parsing ip address coming at random places inside logs

Muhammad_Faisal · December 19, 2020, 8:28pm

hi guys,

input log message contains IP address but the occurence of ip is random inside message and also some times the message will not contain any ip ...how can we extract this ip address using grok or other filters.

example of input log messages :
this is server log 10.20.30.10 error observed
10.20.50.10 exception occurred
no error observed.

i am trying below, not working

grok { match => {"message" => " ((?<wildcard>.*)%{IPV4:IP}(?<wildcard>.*)") | %{IPV4:IP}(?<wildcard>.*) | (?<wildcard>.*)}
}

Badger · December 19, 2020, 9:24pm

If you just want the IP then you can use

grok { match => { "message" => "%{IPV4:IP}" } }

and grok will find it if it is anywhere in the message.

Muhammad_Faisal · December 20, 2020, 9:43am

hi Badger,

thanks for input.

built in grok will capture ip address once in the log message and remaining ip address will not parse...there are instances where ip address is populating multiple times or less without any particular position such as ...

10.20.30.10 exception 10.20.50.90 error at server 10.30.10.10

is there any grok which can parse all ip addresses occurences coming anywhere in input message at any place

thanks

Muhammad_Faisal · December 20, 2020, 10:01am

also if input log message does not have ip address , it give me _grokparsefailure

Badger · December 20, 2020, 8:22pm

In you want to capture every occurrence of a regexp in a field then use a ruby filter and the String.scan function.

    ruby {
        code => 'event.set("anArray", event.get("message").scan(/(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])/))'
    }

Edited to add: The grok pattern for IPV4 is one of the core patterns.

system · January 17, 2021, 4:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.