https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/597994#M208231 <P>If your raw data is always in exactly that format,&nbsp; |rex field=_raw "IP addresses: (?&lt;Country1&gt;.*)\((?&lt;IP1&gt;.*) and (?&lt;Country2&gt;.*)\((?&lt;IP2&gt;.*)\)"</P><P>There's probably a more precise way that would be less error prone, but this might get you started.</P> Mon, 16 May 2022 19:37:32 GMT etoombs 2022-05-16T19:37:32Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/597989#M208228 <P>In my splunk logs, i have 2 IPs in 1 field name.</P> <P>I want to extract both IPs create a new field as IP1 &amp; IP2. Please help here.</P> <P>The user XYZ was involved in an impossible travel incident. The user connected from two countries within 280 minutes, from these IP addresses: United States (<STRONG>205.000.000.0</STRONG>) and Italy (<STRONG>37.000.000.00</STRONG>). If any of these IP addresses are used by the organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.</P> <P>&nbsp;</P> <P>Example</P> <P>IP1 -&nbsp;<STRONG>205.000.000.0</STRONG></P> <P>IP2 -&nbsp;<STRONG>37.000.000.00</STRONG></P> Tue, 17 May 2022 17:03:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/597989#M208228 alexspunkshell 2022-05-17T17:03:24Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/597994#M208231 <P>If your raw data is always in exactly that format,&nbsp; |rex field=_raw "IP addresses: (?&lt;Country1&gt;.*)\((?&lt;IP1&gt;.*) and (?&lt;Country2&gt;.*)\((?&lt;IP2&gt;.*)\)"</P><P>There's probably a more precise way that would be less error prone, but this might get you started.</P> Mon, 16 May 2022 19:37:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/597994#M208231 etoombs 2022-05-16T19:37:32Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/598036#M208247 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/126376">@alexspunkshell</a>,</P><P>if you could share a sample of your logs I could be more detailed in my answer,</P><P>anyway, you have two choices:</P><UL><LI>if you want to maintain separates IPs you have to find two different regexes, identifying something as difference,</LI><LI>if you're not interested to have different field names for the two IPs, you could use the same regex.</LI></UL><P>in the first case, try something like this:</P><LI-CODE lang="markup">your_search | rex "IP\s+addresses:\s+(?&lt;IP1&gt;\d+\.\d+\.\d+\.\d+).*(?&lt;IP2&gt;\d+\.\d+\.\d+\.\d+)"</LI-CODE><P>if you want also the country associated to each IP, you could use&nbsp;something like this (similar to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/115436">@etoombs</a>&nbsp;solution) :</P><LI-CODE lang="markup">your_search | rex "IP\s+addresses:\s+(?&lt;Country1&gt;[^\(]+)\((?&lt;IP1&gt;\d+\.\d+\.\d+\.\d+).*(?&lt;Country2&gt;[^\(]+)\((?&lt;IP2&gt;\d+\.\d+\.\d+\.\d+)"</LI-CODE><P>I prefer the following solution:</P><LI-CODE lang="markup">your_search | rex "(?&lt;Country&gt;[^\(]+)\((?&lt;IP&gt;\d+\.\d+\.\d+\.\d+)"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 17 May 2022 06:30:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-from-my-raw-data-using-rex/m-p/598036#M208247 gcusello 2022-05-17T06:30:16Z