Solved: Retrieve last value in a comma-delimited field - Splunk Community

All Apps and Add-ons

If my rex field has one or multiple fields delimited by commas, how can I get the last value if there is more than one? Or if there is only one value, then retrieve that one.

Search: sourcetype="xxxxxx" | rex field=_raw "True IP:(?.*)"

True IP:68.5.194.110, 204.2.160.228
True IP:81.21.89.165

1 Solution

Solution

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"

View solution in original post

Solution

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"

If you are not interested in the first of two TrueIP's, you could always do something like this for a log message that looks like:

message=blah user=admin true IP: 1.2.3.4, 2.3.4.5 error=fatal

the field extraction would be something like:

rex ",?\s(?<true_ip>\d+\.\d+\.\d+\.\d+)\serror="

hope this helps, but please provide more info in order to get better help

/k

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...