I spent some hours on this and find it really hard, the documentation or examples is quite sparse on this.
So far I have a regex that matches ipv4
pattern = '((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})
replacement = "${1}
I’m feeding it with mockdata using logger:
logger -n localhost -d -P 6514 “access-list randomx denied tcp blabla/34.23.43.10(51315) → bleh/172.16.18.15(80) hit-cnt 1 first hit [0x18449730, 0x0]”
The regex extract should go into ipinfo field, but It seems that I’m doing something incorrect with the matching:
message=“access-list randomx denied tcp blabla/34.23.43.10(51315) → bleh/172.16.18.15(80) hit-cnt 1 first hit [0x18449730, 0x0]”,
ipinfo=“access-list randomx denied tcp blabla/34.23.43.10(51315) → bleh/172.16.18.15(80) hit-cnt 1 first hit [0x18449730, 0x0]”
it seems to extract the whole line matching, I’m just looking for the ip numbers, and all lines will have two ip numbers that I need to extract. The surrounding data might differ depending on input format.
pattern = ‘((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}).*’
gives…
ipinfo=“access-list randomx denied tcp blabla/34.23.43.10”
but I cant remove “access-list randomx denied tcp blabla/”

UPDATE:
Amazing, regex works in mysterious ways… looks like named group worked much better:
pattern = ‘(.?)(?P(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3})(.?)(?P(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}).*’
replacement = “{ip1} - {ip2}”
gives…
ipinfo=“34.23.43.10 - 172.16.18.15”
Now we are getting somewhere!