my output in splunk is as below
<error code #> IP Address is x.y.z.a
I want to extract only the x.y.z.a and its count. Should ignore duplicates.
Can someone please assist?
Please see this previous post: https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379717
I did look at that but couldn’t comprehend it to my need. Hence, posted this.
Hi @nsiva Please try this:
| makeresults | eval _raw = "123 IP Address is 1.2.3.4"
| rex field=_raw "is\s(?P<ip>.*)" | table _raw ip
once if the rex is working fine, then you can do,
"|stats count by ip"
let us know what happens, thanks.
@inventsekar This works only for the ip address 1.2.3.4. What do I do if the ip address changes to 5.6.7.8 or 4.3.2.1?
#your base search which produce the logs, ... like index=abc sourcetype=abc
index=firewall sourcetype=abc
| rex field=_raw "is\s(?P<ip>.*)"
| table _raw ip
| stats count by ip
Hi @nsiva ..
if this search does not work, pls show us a screenshot.. thanks.
Hey @nsiva ,
The query that @inventsekar has posted will work with any of the ip address provided the raw event is
123 IP Address is 1.2.3.4
Can you please elaborate why the solution doesn't work for you?
And for your reference, I've used 4.3.2.1 in _raw and it still extracts the ip address. Find the below screenshot.
To assist you better, it would be great if you can provide the raw events and then ip field can be extracted from the same. You can redact the sensitive information.
Thanks,
Tejas.