How to extract client IPs in a different format th...

allyandrews14 · ‎07-27-2012

I am researching information into error log files and the way they're formatted is different so Splunk doesn't recognize the client ip addresses even though they're there and I have to format a report on the top 50 ip addresses, but I am not sure how to go about extracting them? Or if I need to add a new field?

As well, I had to format a list of the top 50 error types and it turned out that there were only 10 error types that covered all the log. But, when I went to record the count, when I added them all up, there was more than Splunk is showing as the count of the whole log file. I have double and triple checked, isolated each of the events and adding them up and even excluding one event and checking to see the amount left over. I can't seem to figure out what could be wrong.

MHibbin · ‎07-27-2012

Any example for the raw events containing the IP address. At a basic level, the following regex will pick up IP addresses in dotted decimal format (e.g. 192.168.0.2)

(?P<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

There is a more specific regex, as this would pick up subnet masks (e.g. 255.255.255.0) if they exist.

How to extract client IPs in a different format than Splunk recognizes?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann