topic Re: IP address for the last occurrence in Splunk Search

IP address for the last occurrence

VS0909 — Tue, 07 Sep 2021 10:42:30 GMT

Can someone please help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

Re: IP address for the last occurrence

VS0909 — Tue, 07 Sep 2021 10:43:51 GMT

@gcusello Can you help with the Splunk query for the below scenario:

I want to extract last IP address by a regular expression (regex) , for an event which has one or more IP addresses.

If the event has one IP ---> then extract that IP

If the event has more than one IP ---> then extract the last IP

Thanks!

Re: IP address for the last occurrence

gcusello — Tue, 07 Sep 2021 11:30:41 GMT

Hi @VS0909,

Could you share any sample of your logs?

possibly some event with one IP and someone else with many IPs.

Ciao.

Giuseppe

Re: IP address for the last occurrence

VS0909 — Tue, 07 Sep 2021 11:54:26 GMT

@gcusello Please find below details

There may be one or more IP's in the event

Sample logs with two IP's:

- - - [07/Sep/2020:06:42:58 -0500] "ssa/edit.jsp?assetURI HTTP/1.1" HTTP/1.1 200 1111 1111 0.222/444 Mozilla/1.0 (Windows NT 1.0; Win64; x64)110.10.222.22 LKMKOIL8098mnmdsLO799 230.44.333.122 wwwsss.abc.com

Sample logs with one IP:

- - - [07/Sep/2020:06:42:58 -0500] "ssa/edit.jsp?assetURI HTTP/1.1" HTTP/1.1 200 1111 1111 0.222/444 Mozilla/1.0 (Windows NT 1.0; Win64; x64) - http://abc:8080/bbb/aaa/mmm?_requestid=39999 230.44.333.222 LKMKOIL8098mnmdsLO799 - abcde1

Re: IP address for the last occurrence

gcusello — Tue, 07 Sep 2021 12:03:47 GMT

Hi @VS0909,

please try this:

| rex "\s(?<IP>\d+\.\d+\.\d+\.\d+)"

that you can test at https://regex101.com/r/UxpUvx/1

Ciao.

Giuseppe

Re: IP address for the last occurrence

VS0909 — Tue, 07 Sep 2021 13:06:43 GMT

@gcusello Thanks for the reply.

| rex "\s(?<IP>\d+\.\d+\.\d+\.\d+)"

This regex is capturing all the IPs in the event. I just need the last IP . can you please help with that.

Re: IP address for the last occurrence

gcusello — Tue, 07 Sep 2021 13:36:40 GMT

Hi @VS0909,

please try this:

| rex "(?<IP>\d+\.\d+\.\d+\.\d+)" | eval IP=mvindex(IP,-1)

Ciao.

Giuseppe

Re: IP address for the last occurrence

VS0909 — Tue, 07 Sep 2021 13:53:15 GMT

Thanks for the repply @gcusello . It is still taking the first value. Can you please help! Thanks!

Re: IP address for the last occurrence

gcusello — Tue, 07 Sep 2021 14:37:12 GMT

Hi @VS0909,

please try this:

| rex ".*(?<IP>\d+\.\d+\.\d+\.\d+)"

that you can test at https://regex101.com/r/UxpUvx/2

Ciao.

Giuseppe

Re: IP address for the last occurrence

scelikok — Tue, 07 Sep 2021 16:03:37 GMT

Hi @VS0909,

Please try below (using negative lookahead);

| rex "(?!.+\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

Re: IP address for the last occurrence

VS0909 — Wed, 08 Sep 2021 05:58:49 GMT

@gcusello Thanks for the reply!

rex ".*(?<IP>\d+\.\d+\.\d+\.\d+)" - this is capturing the last IP, but instead of capturing "230.44.333.122" , its capturing "0.44.333.222"

Appreciate your help on this.