03-20-2024 10:25 AM
Hello everyone, I'm attempting to extract fields from DHCP logs but encounter an error stating, "Your query failed to run as it's invalid." my regex code works correctly on regex101 and CyberChef. Does anyone have any insights on how to troubleshoot the issue?
dataset in(infoblox_infoblox_raw )
|filter _raw_log ~=".*dhcpd.*"
|alter event_raw = _raw_log
|alter pid = arrayindex(regextract(_raw_log , "\[(\d+)\]:") ,0) ,
Infobox_host = arrayindex(regextract(_raw_log , "(?:\s+([^\s]+)\s+)?dhcpd") ,0),
mac_address = arrayindex(regextract(_raw_log , "DHCPDISCOVER\sfrom\s([A-Fa-f\d]{2}(?:[:-][A-Fa-f\d]{2}){5})") ,0) ,
hostname1 = arrayindex(regextract(_raw_log , "DHCPDISCOVER\sfrom\s([A-Fa-f\d]{2}(?:[:-][A-Fa-f\d]{2}){5})\(([^)]+)\)") ,0)
|fields hostname1, mac_address, pid, Infobox_host , _raw_log
|limit 100
Thanks
03-21-2024 12:18 AM
Hello @AmirSabei ,
Thanks for reaching out on LiveCommunity!
Based on your query it looks like the issue is with Hostname1 field. The regular expression matches a DHCPDISCOVER message followed by a MAC address and an IP address enclosed in parentheses. Can you confirm exactly what are you looking in hostname1 field?
if you run without |fields hostname1 it works fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
