https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185890#M53566 <P>Please post a sample of your data.</P> Fri, 24 Oct 2014 18:26:55 GMT richgalloway 2014-10-24T18:26:55Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185889#M53565 <P>Hi,</P> <P>Does anyone know what i need to put in between these two fields in order to make the query continue on the ip2 if ip1 is found on a single log event? Sometimes there may <STRONG>not</STRONG> be an ip2... \s+ is what i have currently.</P> <PRE><CODE>| rex "(?i)(?&lt;ip1&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?&lt;ip2&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" </CODE></PRE> Fri, 24 Oct 2014 18:25:14 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185889#M53565 ho000dor 2014-10-24T18:25:14Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185890#M53566 <P>Please post a sample of your data.</P> Fri, 24 Oct 2014 18:26:55 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185890#M53566 richgalloway 2014-10-24T18:26:55Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185891#M53567 <P>hodor </P> <P>also sample data.</P> Fri, 24 Oct 2014 18:41:56 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185891#M53567 sk314 2014-10-24T18:41:56Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185892#M53568 <P>It could vary. </P> <P>Anything from:</P> <PRE><CODE>192.168.1.1 4.2.2.2 blah blah other stuff or otherstuff 192.168.1.1 blah blah or otherstuff blah blah 192.168.1.1 blah blah 4.2.2.2 otherstuff </CODE></PRE> <P>ip2 <STRONG>can</STRONG> be null if there isn't a second IP. Is that possible or do i have to set up a second | rex?</P> Fri, 24 Oct 2014 18:47:50 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185892#M53568 ho000dor 2014-10-24T18:47:50Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185893#M53569 <P>have you tried this rex max_match=2 field=_raw " (?i)(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})*" with max_match parameter set to 2 as mentioned in this <A href="http://answers.splunk.com/answers/47381/how-to-extract-all-matching-values-from-an-event-using-regex.html" target="_blank">http://answers.splunk.com/answers/47381/how-to-extract-all-matching-values-from-an-event-using-regex.html</A></P> Mon, 28 Sep 2020 17:57:49 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185893#M53569 sk314 2020-09-28T17:57:49Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185894#M53570 <P>Try this (run anywhere sample, before rex part is to generate sample data)</P> <PRE><CODE>|gentimes start=-1 | eval temp="192.168.1.1 4.2.2.2 blah blah other stuff #otherstuff 192.168.1.1 blah blah#otherstuff blah blah 192.168.1.1 blah blah 4.2.2.2 otherstuff" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw | rex "(?i)(?&lt;ip1&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(.*(?&lt;ip2&gt;(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))|.*)" </CODE></PRE> Fri, 24 Oct 2014 19:29:02 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185894#M53570 somesoni2 2014-10-24T19:29:02Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185895#M53571 <P>That's exactly what i'm looking for! Thanks a lot!</P> Fri, 24 Oct 2014 19:29:29 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185895#M53571 ho000dor 2014-10-24T19:29:29Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185896#M53572 <P>Thanks a lot! </P> Fri, 24 Oct 2014 19:32:13 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185896#M53572 ho000dor 2014-10-24T19:32:13Z https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185897#M53573 <P>It'd be nice for future generations to accept the answer that solved the problem instead. Then others can immediately see the solution if they have similar questions rather than guessing what's the solution.</P> Fri, 24 Oct 2014 20:03:08 GMT https://community.splunk.com/t5/Splunk-Search/Rex-Question/m-p/185897#M53573 martin_mueller 2014-10-24T20:03:08Z