Network Split

Networking

Synopsis

Splits a combined host:port address string into separate IP address and port fields using Go's standard net.SplitHostPort parser.

Schema

- network_split:
    field: <ident>
    ip_field: <ident>
    port_field: <ident>
    description: <text>
    if: <script>
    tag: <string>
    on_success: <processor[]>
    on_failure: <processor[]>
    ignore_missing: <boolean>
    ignore_failure: <boolean>
    disabled: <boolean>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
field	Y		Source field containing the host:port address string
ip_field	Y		Target field to write the extracted host or IP address
port_field	N		Target field to write the extracted port number
description	N		Explanatory text
if	N		Condition to run
tag	N		Identifier for logging
on_success	N		See Handling Success
on_failure	N		See Handling Failures
ignore_missing	N	false	If true, exit quietly when field does not exist
ignore_failure	N	false	See Handling Failures
disabled	N	false	Disable the processor

Details

The processor reads the value of field and parses it using net.SplitHostPort. The extracted host component is written to ip_field. The port component is written to port_field only when port_field is specified and a port is present in the source value. When the source value contains no port, port_field is not created.

The source field value must be a string. Non-string values cause an error that can be suppressed with ignore_failure.

IPv4 addresses in host:port format (192.168.1.100:8080), IPv6 addresses in bracketed format ([2001:db8::1]:443), and hostnames (example.com:443) are all accepted. Bare IPv4 addresses without a port (10.0.0.5) and bare IPv6 addresses (2001:db8::1) are also accepted and write only the host component to ip_field.

Examples

IPv4 Address with Port

Splitting an IPv4 address and port from a combined field...	{ "source_address": "192.168.1.100:8080" } - network_split: field: source_address ip_field: src_ip port_field: src_port
Processor writes IP and port to separate fields...	{ "source_address": "192.168.1.100:8080", "src_ip": "192.168.1.100", "src_port": "8080" }

IPv6 Address with Port

Splitting an IPv6 address in bracketed notation...	{ "dest_address": "[2001:db8::1]:443" } - network_split: field: dest_address ip_field: dst_ip port_field: dst_port
Processor extracts the IPv6 address without brackets...	{ "dest_address": "[2001:db8::1]:443", "dst_ip": "2001:db8::1", "dst_port": "443" }

Address Without Port

Processing a bare IP address with no port present...	{ "server_ip": "10.0.0.5" } - network_split: field: server_ip ip_field: server_ip_addr port_field: server_port
Only the IP field is written; port field is not created when no port exists...	{ "server_ip": "10.0.0.5", "server_ip_addr": "10.0.0.5" }

Hostname with Port

Splitting a hostname and port from an endpoint field...	{ "endpoint": "example.com:443" } - network_split: field: endpoint ip_field: host port_field: port
Processor writes the hostname and port to separate fields...	{ "endpoint": "example.com:443", "host": "example.com", "port": "443" }

IP Only Extraction

Extracting only the IP address when port output is not needed...	{ "address": "192.168.1.100:8080" } - network_split: field: address ip_field: ip_addr
Only the IP field is written; port is discarded...	{ "address": "192.168.1.100:8080", "ip_addr": "192.168.1.100" }