topic Re: How to write a search to extract an IP address after a line within a Windows security event? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-extract-an-IP-address-after-a-line/m-p/128400#M34850 <P>Use a Regex, like that:</P> <PRE><CODE>index=bla "something to search" | rex field=_raw "x-ms-forwarded-client-ip (?P&lt;clientIP&gt;(\d{1,3}\.){3}\d{1,3})" </CODE></PRE> <P>Now you can see that a new field, named <CODE>clientIP</CODE>, will be available for you.</P> <P>Cheers,</P> Fri, 21 Nov 2014 01:10:34 GMT musskopf 2014-11-21T01:10:34Z How to write a search to extract an IP address after a line within a Windows security event? https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-extract-an-IP-address-after-a-line/m-p/128399#M34849 <P>Hello, I have the following:</P> <P>11/20/2014 11:04:58 AM <BR /> LogName=Security <BR /> SourceName=AD FS 2.0 Auditing <BR /> EventCode=501<BR /> .<BR /> .<BR /> .<BR /> <A href="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip">http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip</A> <BR /> 1.1.1.1<BR /> .<BR /> .<BR /> .<BR /> .</P> <P>How can I construct a query to get the IP address in the result ? I am looking for a way to get data in the line after <A href="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip">http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip</A></P> Fri, 21 Nov 2014 00:21:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-extract-an-IP-address-after-a-line/m-p/128399#M34849 pyi 2014-11-21T00:21:27Z Re: How to write a search to extract an IP address after a line within a Windows security event? https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-extract-an-IP-address-after-a-line/m-p/128400#M34850 <P>Use a Regex, like that:</P> <PRE><CODE>index=bla "something to search" | rex field=_raw "x-ms-forwarded-client-ip (?P&lt;clientIP&gt;(\d{1,3}\.){3}\d{1,3})" </CODE></PRE> <P>Now you can see that a new field, named <CODE>clientIP</CODE>, will be available for you.</P> <P>Cheers,</P> Fri, 21 Nov 2014 01:10:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-extract-an-IP-address-after-a-line/m-p/128400#M34850 musskopf 2014-11-21T01:10:34Z