topic Re: How do you use the rex command to parse out the IP between fix characters? in Splunk Search

How do you use the rex command to parse out the IP between fix characters?

AbubakarShahid — Thu, 28 Feb 2019 15:39:30 GMT

Hi all,

I was wondering how can i write a Splunk rex to parse out the IP between two words.

for example

  <IpAddress>8.8.8.8, 2.2.2.2</IpAddress>
  <blahblah>1.1.1.1, 2.2.2.2, x.x.x.x</blahblah>

I am able to write a search

but in results it parses out "8.8.8.8<" and "x.x.x.x<"

I only care about the first IP address between.

I'm looking forward to hearing from you guys.

Re: How do you use the rex command to parse out the IP between fix characters?

FrankVl — Thu, 28 Feb 2019 15:44:44 GMT

Your question is a bit unclear (partly because I think some stuff between <> went missing?). Can you please clarify a bit what it is exactly that you want to extract? And please also share the search you have so far.

Taking my best guess at what you want, wouldn't this do the trick:

| rex "\<IpAddress\>(?<IP>\d+\.\d+\.\d+\.\d+)"

https://regex101.com/r/JWEbRc/1

Re: How do you use the rex command to parse out the IP between fix characters?

vnravikumar — Thu, 28 Feb 2019 15:49:26 GMT

Hi @AbubakarShahid

Try this it will extract first ip address

| makeresults 
| eval str="<blahblah>1.1.1.1, 2.2.2.2, x.x.x.x</blahblah>" 
| rex field=str ">(?P<ipaddress>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"