topic Re: How to extract first ip from &quot;http_x_forwarded_for=&quot;222.xx.xx.xx, 122.211.xx.xx&quot; using rex in splunk in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649936#M224704 <P>|rex "(?im)\w+<SPAN>\=\"</SPAN>(?P&lt;<SPAN>http_x_forwarded_for</SPAN>&gt;.[^\,]+)"<BR /><BR />or else<BR />|rex "(?im)\w+<SPAN>\=\"</SPAN>(?P&lt;<SPAN>http_x_forwarded_for</SPAN>&gt;\d+\.\d+\.\d+\.\d+)"</P> Tue, 11 Jul 2023 07:54:32 GMT santoshneelam 2023-07-11T07:54:32Z How to extract first ip from "http_x_forwarded_for="222.xx.xx.xx, 122.211.xx.xx" using rex in Splunk search? https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649935#M224703 <P>here is field "http_x_forwarded_for="222.xx.xx.xx, 122.211.xx.xx"</P> <P>i have try:</P> <P><SPAN>| rex field=_raw "http_x_forwarded_for\s*=\s*(?&lt;ip_address&gt;</SPAN><SPAN class="">[^,\s]</SPAN><SPAN>+)" </SPAN></P> <P><SPAN>| </SPAN><SPAN class="">table</SPAN><SPAN> ip_address</SPAN></P> <P>But it not works, pls help !</P> Tue, 11 Jul 2023 14:40:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649935#M224703 minhquannguyen7 2023-07-11T14:40:12Z Re: How to extract first ip from "http_x_forwarded_for="222.xx.xx.xx, 122.211.xx.xx" using rex in splunk https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649936#M224704 <P>|rex "(?im)\w+<SPAN>\=\"</SPAN>(?P&lt;<SPAN>http_x_forwarded_for</SPAN>&gt;.[^\,]+)"<BR /><BR />or else<BR />|rex "(?im)\w+<SPAN>\=\"</SPAN>(?P&lt;<SPAN>http_x_forwarded_for</SPAN>&gt;\d+\.\d+\.\d+\.\d+)"</P> Tue, 11 Jul 2023 07:54:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649936#M224704 santoshneelam 2023-07-11T07:54:32Z Re: How to extract first ip from "http_x_forwarded_for="222.xx.xx.xx, 122.211.xx.xx" using rex in splunk https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649945#M224707 <P>thanks you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225680">@santoshneelam</a> !&nbsp; i want extract in the different log with any field look like this , what shoud i do ???</P><P>&nbsp;</P> Tue, 11 Jul 2023 10:00:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-first-ip-from-quot-http-x-forwarded-for-quot-222/m-p/649945#M224707 minhquannguyen7 2023-07-11T10:00:30Z