Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract public and private IP addresses fields separately

cs308
Loves-to-Learn
‎08-02-2025 04:26 AM

I have trouble with getting public and private IP addresses fields separately. How can I extract private and public IP addresses fields separately using regex???  Because, when I extract IP field from failed ssh login log, I get both public and private  fields in same filed, therefore I want extract them in different fields.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-02-2025 11:28 AM

1. Don't think about it like that. If a field in your data is - let's say - the source of the connection, it is that source regardless of whether it is a public IP or a private one. You can filter on that field later.

2. Even if you tried doing that it will not be pretty using regex alone.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2025 12:01 PM

@PickleRick I think the point is that @cs308 wants to be able to determine if an IP address is private or not. Yes, the regex may not be pretty, but it is doable (about 135 characters for a version that detects private ip addresses, and about 150 characters for a version that detects non-private ip addresses). As I said, this depends on what the definition of private is and how robust the expression needs to be.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2025 04:59 AM

Please share what you have tried so far and some anonymised sample events that you are working with.

Also, is this ipv4 only?

In general, ipv4 private addresses fall into distinct groups, is it that you want to use these groups to determine which sort of address it is? If so, which groups do you want to treat as private? For example: 127.x.x.x, 192.168.x.x, etc?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...