topic Re: how to extract this ip address in Splunk Search

how to extract this ip address

cyberportnoc — Wed, 27 Jul 2016 09:06:19 GMT

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)" | stats ipip

no result after added "| stats ipip"

Jul 27 16:47:59 iccontroller01 neutron-api: 192.168.120.5, 192.168.100.104 - - [27/Jul/2016:16:47:59 +0800] "DELETE /v2.0/floatingips/34840e14-8387-4cf0-bd26-b3f84782a8c9.json HTTP/1.1" 204 - "-" "python-neutronclient"

Re: how to extract this ip address

richgalloway — Wed, 27 Jul 2016 12:20:18 GMT

"ipip" is not a valid argument to the stats command. It's not a field, either. It's not clear what you're trying to do with the search, but something like this should get some results.

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:\s(?<ipip>\d+.\d+.\d+.\d+)" | stats list(ipip)

Re: how to extract this ip address

Raschko — Wed, 27 Jul 2016 12:28:05 GMT

As your splunk search isn't formatted correctly, I hope I got it right (use the "Code Sample" button above when posting a Splunk Search).

Using your regex I can extract it without a problem:

search | rex field=_raw "api:(?<ipip>\s\d+.\d+.\d+.\d+)" | stats first(ipip)

Re: how to extract this ip address

sundareshr — Wed, 27 Jul 2016 12:35:17 GMT

Try this

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:( \d+\.\d+\.\d+\.\d+,?){0,3}" |mvexpand IP | table IP

Re: how to extract this ip address

cyberportnoc — Thu, 28 Jul 2016 01:10:32 GMT

command first(ipip) can extract but only show one ip result , and when i count it, no result found

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+)" | stats count by first(ipip)

Re: how to extract this ip address

cyberportnoc — Thu, 28 Jul 2016 01:15:18 GMT

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:(?\s\d+.\d+.\d+.\d+){0,3}" |mvexpand ipip | table ipip | stats count by ipip

this show more ip then previous answer

Re: how to extract this ip address

cyberportnoc — Thu, 28 Jul 2016 01:22:55 GMT

what do {0,3} mean ?

Re: how to extract this ip address

sundareshr — Thu, 28 Jul 2016 02:16:47 GMT

{0,3} means the group can occur 0 - 3 times. In this case, the group is space followed by IP pattern. If the IP can only appear in that segment of the event, you could also do

.... | raw max_match=0 (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

The only risk with this is it will capture all IP addresses no matter where they appear in the event.

Re: how to extract this ip address

Raschko — Thu, 28 Jul 2016 02:55:09 GMT

The stats function "first" just shows the first ipip that was seen by splunk.

To count by extracted IP addresses use something like this:

"api" AND "delete" AND ("neutron" OR "nova" OR "cinder" OR "glance") | rex field=_raw "api:\s(?<ipip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | stats count by ipip

It still only extracts the first IP address following "api: " of the log event.