# Basic (allows invalid octets like 999)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}# Strict (valid octets 0-255)\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b# With CIDR\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}
IPv6 Address (Simplified)
# Basic pattern (not comprehensive)(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}# With :: compression (simplified)(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}
MAC Address
# Colon-separated([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}# Dash-separated([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}# Cisco format (xxxx.xxxx.xxxx)([0-9a-fA-F]{4}\.){2}[0-9a-fA-F]{4}# Any separator([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}
Port Number
# Any port (1-65535)\b([1-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])\b# Simplified (allows invalid)\b\d{1,5}\b
URL
# Basic HTTP/HTTPShttps?:\/\/[^\s]+# More completehttps?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)
Domain Name
# Basic[a-zA-Z0-9][-a-zA-Z0-9]*\.[a-zA-Z]{2,}# With subdomains(?:[a-zA-Z0-9][-a-zA-Z0-9]*\.)+[a-zA-Z]{2,}
Log Parsing Patterns
Timestamp Formats
# ISO 8601: 2024-01-15T10:30:45Z\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})# Common log: 15/Jan/2024:10:30:45 +0000\d{2}\/[A-Za-z]{3}\/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}# Syslog: Jan 15 10:30:45[A-Za-z]{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}# US format: 01/15/2024 10:30:45\d{2}\/\d{2}\/\d{4}\s+\d{2}:\d{2}:\d{2}
Log Levels
# Common levels\b(DEBUG|INFO|WARN(?:ING)?|ERROR|FATAL|CRITICAL)\b# Case insensitive flag needed for: debug, info, etc.
# Hex string 32+ chars[0-9a-fA-F]{32,}# Base64-ish (JWT, API keys)[A-Za-z0-9_-]{20,}
Splunk-Specific
# Extract IP addresses| rex field=_raw "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"# Extract key=value pairs| rex field=_raw "(?<key>\w+)=(?<value>[^\s]+)"# Extract quoted strings| rex field=_raw "\"(?<message>[^\"]+)\""# Multiple capture groups| rex field=_raw "src=(?<src>\S+)\s+dst=(?<dst>\S+)"
Wireshark Display Filters
Note: Wireshark uses its own filter syntax, not pure regex. For regex matching:
# Basic extended regexgrep -E 'pattern' file# Case insensitivegrep -i 'error' file# Show line numbersgrep -n 'pattern' file# Invert matchgrep -v 'DEBUG' file# Multiple patternsgrep -E 'error|warning|critical' file# ripgrep (faster)rg 'pattern' filerg -i 'error' # case insensitiverg -t py 'import' # file type filter
Lookahead / Lookbehind
Pattern
Name
Meaning
(?=...)
Positive lookahead
Followed by
(?!...)
Negative lookahead
Not followed by
(?<=...)
Positive lookbehind
Preceded by
(?<!...)
Negative lookbehind
Not preceded by
Examples:
# Password followed by = (but don't capture =)password(?=\s*=)# Number NOT followed by px\d+(?!px)# Value after "price: "(?<=price:\s)\d+# Word not preceded by "un"(?<!un)happy