ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Lieutenant
Lieutenant
479 views

Unable to map IPAddress in Arcsight parsing

Jump to solution

Tried all the options, but unable to map this regex to events.destinationAddress -> ([\d\.\d\.\d\.\d]+|\-) 

need |\- as sometime I get - and sometimes I get IP address in the logs.

event.destinatonAddress=__oneOfAddress(destIP)

1 Solution

Accepted Solutions
Captain
Captain

Hey, (\\d+.\\d+.\\d+.\\d+) usually works for me. You can also try ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})

I don't know if you copied "event.destinatonAddress=__oneOfAddress(destIP)" from the parser, but if so, you have a typo there in "destination."

 

Regards, Thomas

View solution in original post

0 Likes
4 Replies
Captain
Captain

Hey, (\\d+.\\d+.\\d+.\\d+) usually works for me. You can also try ([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})

I don't know if you copied "event.destinatonAddress=__oneOfAddress(destIP)" from the parser, but if so, you have a typo there in "destination."

 

Regards, Thomas

View solution in original post

0 Likes
Lieutenant
Lieutenant
Hey Thomas,
I don't think \\d is causing the issue, maybe something to do with
(OR \-) part.
Lieutenant
Lieutenant
it worked, thanks a lot!! 🙂
0 Likes
Captain
Captain

np, good luck in the future.

 

regards, Thomas

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.