https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379719#M111202 <P>Can you please post search code and event strings as code (use the 101010 button in the editor), otherwise some parts will get messed up due to how the board handles certain special characters.</P> <P>In general, to strictly extract an IP address, use a regex like this: <CODE>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}</CODE></P> <P>So for you example, you should probably use something like:</P> <PRE><CODE>index="testd" | rex field=_raw "Remote host:(?&lt;Remotehost&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" </CODE></PRE> Wed, 02 May 2018 11:18:12 GMT FrankVl 2018-05-02T11:18:12Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379717#M111200 <P>index="testd" | rex field=_raw "Remote host:(?.*):" |dedup Remotehost |stats count by Remotehost</P> <P>My events:</P> <P>Remote host:</P> <BLOCKQUOTE> <P>2.136.12.186</P> </BLOCKQUOTE> <P>:34126]@684574 useCount=1 bytesRead=0 bytesWritten=2994631 age=163708ms lastIO=5ms ))).onExceptionWrite exception</P> <P>Expected output:</P> <P>2.136.12.186</P> <P>Thanks in advance</P> Wed, 02 May 2018 11:11:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379717#M111200 karthi2809 2018-05-02T11:11:18Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379718#M111201 <P>Hi<BR /> try with this regex</P> <PRE><CODE>index="testd" | rex "(?ms)Remote host:\s+(?&lt;Remotehost&gt;\d+\.\d+\.\d+\.\d+)" | dedup Remotehost | stats count by Remotehost </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/NZkwci/2">https://regex101.com/r/NZkwci/2</A><BR /> Only one question: why do you dedup by Remotehost and then use stats count? result will be always 1!</P> <P>Bye.<BR /> Giuseppe</P> Wed, 02 May 2018 11:18:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379718#M111201 gcusello 2018-05-02T11:18:05Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379719#M111202 <P>Can you please post search code and event strings as code (use the 101010 button in the editor), otherwise some parts will get messed up due to how the board handles certain special characters.</P> <P>In general, to strictly extract an IP address, use a regex like this: <CODE>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}</CODE></P> <P>So for you example, you should probably use something like:</P> <PRE><CODE>index="testd" | rex field=_raw "Remote host:(?&lt;Remotehost&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" </CODE></PRE> Wed, 02 May 2018 11:18:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379719#M111202 FrankVl 2018-05-02T11:18:12Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379720#M111203 <P>There is literally a million valid regexes on the Internet to extract IP addresses.</P> <P>Assuming the following:</P> <UL> <LI>You only have IPv4 addresses</LI> <LI>They're always at the beginning of the event</LI> </UL> <P>You could use this regex: <CODE>^((?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</CODE></P> <P>Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 02 May 2018 11:20:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379720#M111203 xpac 2018-05-02T11:20:39Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/707462#M239296 <P>I created a Splunk Macros&nbsp;for regular expressions for IPv4 addresses.</P><P>Definitions and usages are in an article below.</P><P>&nbsp;<A href="https://qiita.com/Joh256/private/659ef65897905890ef99" target="_blank">https://qiita.com/Joh256/private/659ef65897905890ef99</A>.</P><P>I also put them in an add-on below.</P><P><A href="https://splunkbase.splunk.com/app/6595" target="_blank">https://splunkbase.splunk.com/app/6595</A></P><P>&nbsp;</P> Sun, 22 Dec 2024 23:04:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/707462#M239296 tfujita_splunk 2024-12-22T23:04:18Z