https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687151#M234372 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;This works only for the ip address 1.2.3.4. What do I do if the ip address changes to 5.6.7.8 or 4.3.2.1?&nbsp;</P> Fri, 10 May 2024 11:43:28 GMT nsiva 2024-05-10T11:43:28Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687085#M234343 <P>my output in splunk is as below&nbsp;</P><P>&lt;error code #&gt; IP Address is x.y.z.a&nbsp;</P><P>&nbsp;</P><P>I want to extract only the x.y.z.a and its count. Should ignore duplicates.</P><P>&nbsp;</P><P>Can someone please assist?</P> Thu, 09 May 2024 18:49:39 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687085#M234343 nsiva 2024-05-09T18:49:39Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687086#M234344 <P>Please see this previous post:&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379717" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-to-extract-ip-address-using-regex/m-p/379717</A></P> Thu, 09 May 2024 18:57:08 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687086#M234344 nyc_jason 2024-05-09T18:57:08Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687088#M234345 <P>I did look at that but couldn’t comprehend it to my need. Hence, posted this.&nbsp;</P> Thu, 09 May 2024 19:12:36 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687088#M234345 nsiva 2024-05-09T19:12:36Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687091#M234347 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267764">@nsiva</a>&nbsp;Please try this:</P><LI-CODE lang="markup">| makeresults | eval _raw = "123 IP Address is 1.2.3.4" | rex field=_raw "is\s(?P&lt;ip&gt;.*)" | table _raw ip</LI-CODE><P>once if the rex is working fine, then you can do,<BR />"|stats count by ip"</P><P>&nbsp;</P><P>let us know what happens, thanks.&nbsp;</P> Thu, 09 May 2024 19:16:00 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687091#M234347 inventsekar 2024-05-09T19:16:00Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687151#M234372 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;This works only for the ip address 1.2.3.4. What do I do if the ip address changes to 5.6.7.8 or 4.3.2.1?&nbsp;</P> Fri, 10 May 2024 11:43:28 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687151#M234372 nsiva 2024-05-10T11:43:28Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687157#M234374 <P>Hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267764">@nsiva</a>&nbsp;,</P><P>The query that&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;has posted will work with any of the ip address provided the raw event is&nbsp;</P><PRE>123 IP Address is 1.2.3.4</PRE><P>&nbsp;Can you please elaborate why the solution doesn't work for you?&nbsp;</P><P>And for your reference, I've used 4.3.2.1 in _raw and it still extracts the ip address. Find the below screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tej57_0-1715344085679.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30766i22D7B3751C2A9A0E/image-size/medium?v=v2&amp;px=400" role="button" title="tej57_0-1715344085679.png" alt="tej57_0-1715344085679.png" /></span></P><P>&nbsp;</P><P>To assist you better, it would be great if you can provide the raw events and then ip field can be extracted from the same. You can redact the sensitive information.</P><P>&nbsp;</P><P>Thanks,<BR />Tejas.</P> Fri, 10 May 2024 12:29:40 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687157#M234374 tej57 2024-05-10T12:29:40Z https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687159#M234375 <LI-CODE lang="markup">#your base search which produce the logs, ... like index=abc sourcetype=abc index=firewall sourcetype=abc | rex field=_raw "is\s(?P&lt;ip&gt;.*)" | table _raw ip | stats count by ip</LI-CODE><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267764">@nsiva</a>&nbsp;..&nbsp;</P><P>if this search does not work, pls show us a screenshot.. thanks.&nbsp;</P><P>&nbsp;</P> Fri, 10 May 2024 12:47:03 GMT https://community.splunk.com/t5/Splunk-Search/Extract-ip-address-from-result/m-p/687159#M234375 inventsekar 2024-05-10T12:47:03Z