All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Retrieve last value in a comma-delimited field

ericksond
Engager
‎02-07-2012 12:02 PM

If my rex field has one or multiple fields delimited by commas, how can I get the last value if there is more than one? Or if there is only one value, then retrieve that one.

Search: sourcetype="xxxxxx" | rex field=_raw "True IP:(?.*)"

True IP:68.5.194.110, 204.2.160.228
True IP:81.21.89.165

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ericksond
Engager
‎02-08-2012 02:03 PM

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ericksond
Engager
‎02-08-2012 02:03 PM

Thank you Kristian, you did give me the idea to resolve the issue correctly. It appears that what I needed was the first IP address and not the last.

I discovered erex and what a powerful tool! It generated the following rex that solved my problem:

rex "(?i) IP?:(?P<true_ip>\d+\.\d+\.\d+\.\d+)"
0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎02-07-2012 12:49 PM

If you are not interested in the first of two TrueIP's, you could always do something like this for a log message that looks like:

message=blah user=admin true IP: 1.2.3.4, 2.3.4.5 error=fatal

the field extraction would be something like:

rex ",?\s(?<true_ip>\d+\.\d+\.\d+\.\d+)\serror="

hope this helps, but please provide more info in order to get better help

/k

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...