https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121843#M32816 <P>Hi All,</P> <P>I am having a field which has content like below</P> <P>abc xyz sksk lsmlmlspmwmlmwpn wonmwm:29299 (abcxmmowmo.wsibi.w) <STRONG>X-Forwarded-For: xxx.xx.xxx.xxx</STRONG> xyz</P> <P>Please note that there is a space between X-Forwarded-For:&lt;space&gt;xxx.xx.xxx.xxx</P> <P>I want to extract the value of X-Forwarded-For: and then match it with a list of IPs from a lookup list and finally disregard those logs where this is a match.</P> <P>PLease help !!</P> Mon, 25 May 2015 06:16:34 GMT lohit 2015-05-25T06:16:34Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121843#M32816 <P>Hi All,</P> <P>I am having a field which has content like below</P> <P>abc xyz sksk lsmlmlspmwmlmwpn wonmwm:29299 (abcxmmowmo.wsibi.w) <STRONG>X-Forwarded-For: xxx.xx.xxx.xxx</STRONG> xyz</P> <P>Please note that there is a space between X-Forwarded-For:&lt;space&gt;xxx.xx.xxx.xxx</P> <P>I want to extract the value of X-Forwarded-For: and then match it with a list of IPs from a lookup list and finally disregard those logs where this is a match.</P> <P>PLease help !!</P> Mon, 25 May 2015 06:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121843#M32816 lohit 2015-05-25T06:16:34Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121844#M32817 <P>Hi lohit,</P> <P>you can use something like this:</P> <PRE><CODE>your base search the get the field | rex field=TheFieldName "X-Forwarded-For:\s(?&lt;myNew&gt;.*)\s" | .... </CODE></PRE> <P>This will create a new field called <CODE>myNew</CODE>.<BR /> Also take a look at this page <A href="https://regex101.com">https://regex101.com</A> to learn and try regex and as well at the docs about the <CODE>field extractor</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX">http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX</A> and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 25 May 2015 06:36:53 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121844#M32817 MuS 2015-05-25T06:36:53Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121845#M32818 <P>Thanks MuS. I figured it out earlier but with a more complex regex.</P> Mon, 25 May 2015 06:59:50 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121845#M32818 lohit 2015-05-25T06:59:50Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121846#M32819 <P>When you figure out your own answer, the proper thing to to is to answer your own question here and "Accept" your answer so that other people won't waste time trying to help you when you don't need it and so that others can be helped by your answer.</P> Sat, 06 Jun 2015 16:36:59 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121846#M32819 woodcock 2015-06-06T16:36:59Z https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121847#M32820 <P>Woodcock, if you can see i have already accepted MuS solution to be an answer. My reply was similar to MuS on that. Anywayz thanks for the suggestion.</P> Sat, 06 Jun 2015 16:43:54 GMT https://community.splunk.com/t5/Splunk-Search/Extract-field-from-another-field/m-p/121847#M32820 lohit 2015-06-06T16:43:54Z