topic Re: How to edit regex for existing fields in Splunk Search

How to edit regex for existing fields

jas0049 — Mon, 27 May 2019 09:26:06 GMT

Hi!
need to edit existing fields using regex as its not giving proper values.
e.g. there is field called "IP" (auto extracted ) its have IP address with some other values. so need to remove extra values apart from ip address.
Please suggest.

Re: How to edit regex for existing fields

cpetterborg — Mon, 27 May 2019 13:18:39 GMT

You can always use the rex command to create/modify a field that is always extracted. For example:

| makeresults
| eval IP="10.0.0.1:9997"
| rex field=IP "(?<myIP>[\d.]+)"

will result in myIP containing just the IP, and not the port from the IP field.

For future reference, it is always best to give some example data with your question so that it is easier to help answer you particular problem.

Re: How to edit regex for existing fields

koshyk — Mon, 27 May 2019 14:21:46 GMT

Splunk can do it easily during search time. Please find regex for various IP address types

 | makeresults
 | eval mixedIP="10.0.0.1:8000"
 | rex field=mixedIP "(?<ipv4>(?:[0-9]{1,3}\.){3}[0-9]{1,3})"

Re: How to edit regex for existing fields

woodcock — Mon, 27 May 2019 21:46:02 GMT

The regex command is a search filtering command, not a field creating/parsing command. You need to use rex for that.