I did look at that but couldn’t comprehend it to my need. Hence, posted this. 

Hi @nsiva Please try this:

| makeresults | eval _raw = "123 IP Address is 1.2.3.4"
| rex field=_raw "is\s(?P<ip>.*)" | table _raw ip

once if the rex is working fine, then you can do,
"|stats count by ip"

let us know what happens, thanks. 

@inventsekar This works only for the ip address 1.2.3.4. What do I do if the ip address changes to 5.6.7.8 or 4.3.2.1? 

#your base search which produce the logs, ... like index=abc sourcetype=abc

index=firewall sourcetype=abc
| rex field=_raw "is\s(?P<ip>.*)" 
| table _raw ip
| stats count by ip

Hi @nsiva .. 

if this search does not work, pls show us a screenshot.. thanks. 

Hey @nsiva ,

The query that @inventsekar has posted will work with any of the ip address provided the raw event is 

123 IP Address is 1.2.3.4

 Can you please elaborate why the solution doesn't work for you? 

And for your reference, I've used 4.3.2.1 in _raw and it still extracts the ip address. Find the below screenshot.

To assist you better, it would be great if you can provide the raw events and then ip field can be extracted from the same. You can redact the sensitive information.

Thanks,
Tejas.