I am trying to extract a field from logs that look like this:
Apr 28 07:45:22.992 On [2:18]20.5.4.1:5070 sent to 102.11.130.135:50953
...
Apr 28 07:45:22.992 On [0:51]10.20.33.50:5060 received from 10.20.1.1:59758
...
The fields I'm trying to extract are source & destination IPs for each entry. So for source_ip, it's 20.5.4.1 and 10.2.1.1. For the destination, it's 102.11.130.135 & 10.20.33.50.
It looks like I need a regex that matches a field that 'begins with "sent to" OR ends with "received from"' and vice-versa but I can't for the life of me get the regex to work.
I tried to use prefixes but ended up with some nasty regexes that just don't work.
(?i)([^\]\n]*\]|received from )(?P<FIELDNAME>\d+\.\d+\.\d+\.\d+:\d+)
Can I do this with Splunk? Is it possible to use two regexes to extract to one field?